[ANNOUNCE] Security releases and advisory issued (1.7.6 and 1.8b2)

Tim Graham

unread,

Mar 9, 2015, 4:01:57 PM3/9/15

to django-...@googlegroups.com, django-d...@googlegroups.com, django...@googlegroups.com

Today the Django team issued multiple releases -- Django 1.7.6 and 1.8b2 -- as part of our security process. These releases address a publicly reported security issue, and we encourage all users to upgrade as soon as possible.

More details can be found on our blog:

https://www.djangoproject.com/weblog/2015/mar/09/security-releases/

As a reminder, we ask that potential security issues be reported via private email to secu...@djangoproject.com, and not via Django's Trac instance or the django-developers list. Please see https://www.djangoproject.com/security for further information.

Francis Devereux

unread,

Mar 9, 2015, 4:24:57 PM3/9/15

to django...@googlegroups.com

Hi,

On 9 Mar 2015, at 16:01, Tim Graham <timog...@gmail.com> wrote:
>
> Today the Django team issued multiple releases -- Django 1.7.6 and 1.8b2 -- as part of our security process. These releases address a publicly reported security issue, and we encourage all users to upgrade as soon as possible.

Thanks for these fixes.

Is Django 1.6.x affected vulnerable to these issues?

Francis

Markus Holtermann

unread,

Mar 9, 2015, 4:37:57 PM3/9/15

to django...@googlegroups.com

Hey Francis,

with respect to the ModelAdmin.readonly_fields: no, the vulnerability was introduced in 1.7

with respect to the advisory: yes, all projects that make use the template filters in Python code and rely on Django 1.0 to 1.8b1 (including) are vulnerable.