django | weblog | security fix released
django | weblog | security fix released
home
download
documentation
weblog
community
code
weblog
security fix released
today we're releasing a fix for a security vulnerability discovered in
django's internationalization framework. the complete details are below,
but the executive summary is that you should updated to a fixed version
of django immediately.
we are releasing point-releases of all affected django versions. you can
download them at http://www.djangoproject.com/download/. those tracking
trunk development should "svn update" as soon as possible.
please direct any questions about this release to django-users
(http://groups.google.com/group/django-users).
description of vulnerability
a per-process cache used by django's internationalization ("i18n") system to
store the results of translation lookups for particular values of the http
accept-language header used the full value of that header as a key. an
attacker could take advantage of this by sending repeated requests with
extremely large strings in the accept-language header, potentially causing a
denial of service by filling available memory.
due to limitations imposed by web server software on the size of http header
fields, combined with reasonable limits on the number of requests which may
be handled by a single server process over its lifetime, this vulnerability
may be difficult to exploit. additionally, it is only present when the
"use_i18n" setting in django is "true" and the i18n middleware component is enabled*. nonetheless, all users of affected
versions of django are encouraged to update.
affected versions
django trunk prior to revision [6608].
django 0.96
django 0.95 (including 0.95.1)
django 0.91
resolution
new versions of django containing this fix have been released today which
alter this caching mechanism to store shortened, normalized values and to
reject improperly formatted headers.
these versions are called:
django 0.96.1 (replaces django 0.96)
django 0.95.2 (replaces django 0.95.1)
django 0.91.1 (replaces django 0.91.1)
anyone using a stable django release should upgrade to one of these point
releases immediately. these fixed versions have already been provided to
maintainers of django packages for various os distributions and should be
released shortly.
anyone tracking django's trunk development should use subversion to update
to at least revision [6608].
additionally, these fixes have been committed to the various "bugfixes"
branches:
http://code.djangoproject.com/svn/django/branches/0.91-bugfixes/
http://code.djangoproject.com/svn/django/branches/0.95-bugfixes/
http://code.djangoproject.com/svn/django/branches/0.96-bugfixes/
anyone running custom versions of django should download and apply the
patches directly. these patches are available at
http://media.djangoproject.com/patches/2007-10-26-security-fix/.
* this post originally failed to mention that the i18n middleware component must be enabled to trigger the bug.
posted by jacob on october 26, 2007
comments
clint ecker october 26, 2007 at 3:09 p.m.
i think the communication you guys have put together about this issue is excellent. i hope you don't find yourself having to do this many more times in the future :)
mike october 26, 2007 at 3:29 p.m.
wow, even 0.91 got updated - that is support
josh simpson october 26, 2007 at 9:56 p.m.
great explanation and coverage. it's really appreciated, thanks guys!
steve bergman october 28, 2007 at 9:26 p.m.
this was handled very professionally. i did rails for a while. and shortly after i started, they had a security release. dhh did major hand-waving about how everyone should upgrade immediately! but absolutely refused to say what the problem was. (he seemed to be enjoying the cloak and dagger aspects.) i didn't have rails apps deployed, so it didn't affect me directly. but the poor execution worried me.
one thing i like about django is the no-nonsense, professional way that the project is run.
cynic november 1, 2007 at noon
and we have a favicon!!!!!!!!!!!!
ok, ok, that didn't actually happen at the same time as the update (i just saw it today); but it still looks damn spiffy in my firefox tab : )
georges november 2, 2007 at 5:05 a.m.
finally the favicon!!!
jurgen november 2, 2007 at 1:54 p.m.
guten tag django dev's, sehr gut arbeiten.
guotie november 6, 2007 at 12:12 a.m.
最近没有进展?
post a comment
your name:
comment:
archives
july 2007
june 2007
may 2007
april 2007
march 2007
february 2007
january 2007
december 2006
november 2006
october 2006
september 2006
august 2006
july 2006
june 2006
may 2006
april 2006
march 2006
february 2006
january 2006
december 2005
november 2005
october 2005
september 2005
august 2005
july 2005
rss feeds
latest weblog entries
latest comments
recent code changes
© 2005-2007 lawrence journal-world unless otherwise noted. django is a registered trademark of lawrence journal-world.
hosting graciously provided by
Acceuil
suivante
django | weblog | security fix released Berchet : Animo Fix - perenoel.com Tricky fix-up plan devised for space station- msnbc.com Don’t Throw Out Your Broken iPod; Fix It via the Web - New York Times Duke City Fix Faz com FIX: código da coleção Garbage que violação de acesso em ... How to reinstall or repair Internet Explorer and Outlook Express ... IBM Support: Fix Central BUG FIX TRANSPARENCE PNG IE (SIMPLE) png, simple, pngfix, iexplore ... Sound Fix Williamsburg's Independent Record Store Error Scan & Fix VCR repair instruction, VCR parts and Remote Controls Zip Repair - Repair Zip Files using Zip Repair from GetData Mac OS X and iPod Troubleshooting, Support, and Help - MacFixIt AB Soft annonce la disponibilité de Fix-It™ et SystemSuite™ de V-Com Air - Fix - Tecni.art Fix L'Oréal Professionnel sur Beauté-test.com Fix' Mascara - Multi-Eclat Clarins sur Beauté-test.com WinSock XP Fix download and review - fix XP internet connectivity ... Object Fix Zip 1.5 Fix-Up - Vidéo Télécharger Fix My Registry 2.3 sur Ratiatum.com - Média ... FreeCreditReport.com - Fix Credit - Using Credit Again Profil de Fix (Admin) Drill Fix DFR : Perçage : L'Expo Permanente : salon de l'industrie ... Jeffrey Zeldman Presents : An angry fix Dangerous spacewalk under way - CNN.com Marketing Profs Daily Fix Blog A List Apart: Articles: Fix Your Site With the Right DOCTYPE! MCC PS 100 Homework.ch.22-23 iPodの復元 WinSock XP Fix - fix XP internet connectivity download, reviewed ... GpsPasSion Forums - probleme de fix sur bt338 Appliance Parts from RepairClinic.com - HomePage ThinkGeek :: No, I will not fix your computer Encyclopédie méthodique: ou par ordre de matières: par une société ... - Résultats Google Recherche de Livres Fix You (Cover Tones fix you) (sonnerie.01net.com) Search results: www dell com fix it Fix Your Credit Report - Fast! Hometime: Home Improvement, Remodeling and Repair ie png fix twinhelix Fix-Saint-Geneys Excel Repair Tool - Fix & Repair Excel File - XLS Repair - Corrupt ... Fix Customer Support, Products Repair, Manuals & Troubleshooting on ... High-fi fix for malfunctioning Guitar Hero III Les Paul - Engadget Apple posts fix for freezing iMacs - Engadget Suggest A Fix PC Support Forums (Powered by Invision Power Board) Le système de portage intégré « Flex-Fix », disponible sur l'Opel ... Microsoft Excel : Calculation Issue Update (Fix Available) FixMyStreet NASA plans spacewalk to fix ripped solar wing - CNN.com Easy Outlook Express Repair - Easy to use tool for Outlook Express ... DIY Home Improvement Information DoItYourself.com Fixitnow.com Samurai Appliance Repair Man GigaByte 8INXP / Fix AGP-PCI - X86-secret.com Forums DailyTech - Apple Releases Fix for iMac Freeze Issue, Updates MacBooks Digg - Don’t Throw Out Your Broken iPod; Fix It via the Web Digg - Troubleshooting 101 : How to fix the family computer and ... [SpoilerFix.com] SpoilerFix.com messages to the visitors! Do-It-Yourself InkJet and Laser Printer Repair (HP, Apple, Epson ... Toiletology 101: Toilet Repair HELP!!