ANNOUNCE: Security updates for Django trunk, 0.96, 0.95 and 0.91
James Bennett
issuing a set of releases to fix a security vulnerability reported to
us. This message contains a description of the vulnerability, a
description of the changes made to fix it, and pointers to the patches
for each supported version of Django.
Description of vulnerability
============================
The Django administration application, as a convenience for users
whose sessions expire, will attempt to preserve HTTP POST data from an
incoming submission while re-authenticating the user, and will -- on
successful authentication -- allow the submission to continue without
requiring data to be re-entered.
Django developer Simon Willison has presented the Django development
team with a proof-of-concept cross-site request forgery (CSRF) which
exploits this behavior to perform unrequested deletion/modification of
data. This exploit has been tested and verified by the Django team,
and succeeds regardless of whether Django's bundled CSRF-protection
module is active.
Affected versions
=================
* Django development trunk
* Django 0.96
* Django 0.95
* Django 0.91
Resolution
==========
As it represents a persistent vector for CSRF attacks, this behavior
is being removed from Django; henceforth, attempted posts from users
whose sessions have expired will be discarded and the data will need
to be re-entered.
This is, then, backwards-incompatible with existing behavior and may
be considered a feature removal; however, the Django team feel that
the security risks of this feature outweigh its minor utility.
The fix for this issue was applied to the Django repository in
changeset 8877, which contains the relevant changes for each affected
version::
http://code.djangoproject.com/changeset/8877
Based on these changes, the Django team is issuing three new releases:
* Django 0.96.3: http://www.djangoproject.com/download/0.91.3/tarball/
* Django 0.95.4: http://www.djangoproject.com/download/0.95.4/tarball/
* Django 0.91.3: http://www.djangoproject.com/download/0.96.3/tarball/
The relevant patch has been applied to Django trunk as well, and so
will be included in the forthcoming Django 1.0 release candidate (to
be issued later today) and the final Django 1.0 release.
All users of affected Django versions are encouraged to upgrade
immediately.
A file containing the MD5 and SHA1 checksums of the new release
packages has been placed on the ``djangoproject.com`` server::
http://media.djangoproject.com/pgp/django-security-releases-20080901.checksums.txt
This file is PGP-signed with the Django release manager's public
key. This key has the fingerprint ``0x8C8B2AE1`` and can be obtained
from, e.g., the MIT PGP keyserver::
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x8C8B2AE1
Release manager's note
======================
If you are currently maintaining and distributing a packaged version
of Django (e.g., for a Linux or other Unix distribution), or if you
are a hosting company which officially supports Django as an option
for customers, and you did **not** receive an advance notification of
this issue, please contact Django's release manager (James Bennett,
james at b-list dot org) as soon as possible so that you can be added
to the list of known distributors who receive such notifications.
[1]
http://www.djangoproject.com/documentation/contributing/#reporting-security-issues
--
"Bureaucrat Conrad, you are technically correct -- the best kind of correct."