django | weblog | security fix released
django | weblog | security fix released
home
download
documentation
weblog
community
code
weblog
security fix released
today we're releasing a fix for a security vulnerability discovered in
django's internationalization framework. the complete details are below,
but the executive summary is that you should updated to a fixed version
of django immediately.
we are releasing point-releases of all affected django versions. you can
download them at http://www.djangoproject.com/download/. those tracking
trunk development should "svn update" as soon as possible.
please direct any questions about this release to django-users
(http://groups.google.com/group/django-users).
description of vulnerability
a per-process cache used by django's internationalization ("i18n") system to
store the results of translation lookups for particular values of the http
accept-language header used the full value of that header as a key. an
attacker could take advantage of this by sending repeated requests with
extremely large strings in the accept-language header, potentially causing a
denial of service by filling available memory.
due to limitations imposed by web server software on the size of http header
fields, combined with reasonable limits on the number of requests which may
be handled by a single server process over its lifetime, this vulnerability
may be difficult to exploit. additionally, it is only present when the
"use_i18n" setting in django is "true" and the i18n middleware component is enabled*. nonetheless, all users of affected
versions of django are encouraged to update.
affected versions
django trunk prior to revision [6608].
django 0.96
django 0.95 (including 0.95.1)
django 0.91
resolution
new versions of django containing this fix have been released today which
alter this caching mechanism to store shortened, normalized values and to
reject improperly formatted headers.
these versions are called:
django 0.96.1 (replaces django 0.96)
django 0.95.2 (replaces django 0.95.1)
django 0.91.1 (replaces django 0.91.1)
anyone using a stable django release should upgrade to one of these point
releases immediately. these fixed versions have already been provided to
maintainers of django packages for various os distributions and should be
released shortly.
anyone tracking django's trunk development should use subversion to update
to at least revision [6608].
additionally, these fixes have been committed to the various "bugfixes"
branches:
http://code.djangoproject.com/svn/django/branches/0.91-bugfixes/
http://code.djangoproject.com/svn/django/branches/0.95-bugfixes/
http://code.djangoproject.com/svn/django/branches/0.96-bugfixes/
anyone running custom versions of django should download and apply the
patches directly. these patches are available at
http://media.djangoproject.com/patches/2007-10-26-security-fix/.
* this post originally failed to mention that the i18n middleware component must be enabled to trigger the bug.
posted by jacob on october 26, 2007
comments
clint ecker october 26, 2007 at 3:09 p.m.
i think the communication you guys have put together about this issue is excellent. i hope you don't find yourself having to do this many more times in the future :)
mike october 26, 2007 at 3:29 p.m.
wow, even 0.91 got updated - that is support
josh simpson october 26, 2007 at 9:56 p.m.
great explanation and coverage. it's really appreciated, thanks guys!
steve bergman october 28, 2007 at 9:26 p.m.
this was handled very professionally. i did rails for a while. and shortly after i started, they had a security release. dhh did major hand-waving about how everyone should upgrade immediately! but absolutely refused to say what the problem was. (he seemed to be enjoying the cloak and dagger aspects.) i didn't have rails apps deployed, so it didn't affect me directly. but the poor execution worried me.
one thing i like about django is the no-nonsense, professional way that the project is run.
cynic november 1, 2007 at noon
and we have a favicon!!!!!!!!!!!!
ok, ok, that didn't actually happen at the same time as the update (i just saw it today); but it still looks damn spiffy in my firefox tab : )
georges november 2, 2007 at 5:05 a.m.
finally the favicon!!!
jurgen november 2, 2007 at 1:54 p.m.
guten tag django dev's, sehr gut arbeiten.
guotie november 6, 2007 at 12:12 a.m.
最近没有进展?
post a comment
your name:
comment:
archives
july 2007
june 2007
may 2007
april 2007
march 2007
february 2007
january 2007
december 2006
november 2006
october 2006
september 2006
august 2006
july 2006
june 2006
may 2006
april 2006
march 2006
february 2006
january 2006
december 2005
november 2005
october 2005
september 2005
august 2005
july 2005
rss feeds
latest weblog entries
latest comments
recent code changes
© 2005-2007 lawrence journal-world unless otherwise noted. django is a registered trademark of lawrence journal-world.
hosting graciously provided by
Acceuil
suivante
django | weblog | security fix released Mozilla Firefox 2.0.0.5 Released with Fix for firefoxurl ... Dial-a-fix - TechWiki The Gossip Fix Modernfix.com Motorpsycho - You Gotta Hang On To The Trip You're On... PNG in Windows IE Pants'Fix trousers solution men homme - Vidéos Actualités Mode ... Geek to Live: How to fix Mom and Dad's computer REGO-FIX, Swiss Precision Tools - collets, toolholders, nuts ... Top case Topcase bleu claire fix. adossoir moto scoot en vente sur ... Snowboard Nitro Spectrum 157 + Fix snow Nitro en vente sur eBay.fr ... IBM Support: Fix Central Perma-Fix frontline: the alternative fix PBS FixMyStreet Tom Feiza, Mr. Fix-It Inc. Recette du cocktail Brandy Fix :: Les Cocktails Delirium Recette du cocktail Whisky Fix :: Les Cocktails Delirium Suggest A Fix PC Support Forums (Powered by Invision Power Board) Jamendo : 433 erOs - Fix up YouTube - coldplay fix you The Nicks Fix - The Official Stevie Nicks Website fix fixations Accessoires - Vidéoprojecteurs - Electronique ... PCSC - Internet - Winsock Fix A List Apart: Articles: Fix Your Site With the Right DOCTYPE! Notes/Domino Fix List - Lotus Notes/Domino V7.0.2 Fix Pack 2 ... SONY BMG MUSIC ENTERTAINMENT - cp.sonybmg.com/xcp acheter snowboard - achat équipement snowboard : Glisshop FIX What Languages Fix Serigraphie, serigraphie industrielle, impression numerique, Lille Disque Pharma-Fix en Silicone/PTFE de 20mm Paul Fix Le Blog de la Mobilité Data: Zoom sur SFR One Fix Connected ... Data Recovery Disk Recovery Hard Drive Recovery software by ... The Sunshine Fix [ Esport Magazine - EsportsFrance - Rotterdam est sérieux, FiX non ] fix buffalo today gratuit : bug in Excel 2007 Calculation Fix available. : tout le ... Fix Our Ferals Livre The PC Doctor's Fix-it-yourself Guide - A. Kingsley-Hughes ... Microsoft Excel : Calculation Issue Update (Fix Available) Josh Fix Pack Ski+Fix avec le guide du matériel ski/snow d'annuaire-ski.com The Fix - Yeah:No Recordings Get The Curse > pivx_ - home & office NANIA RÉHAUSSEUR DREAMWAY SP FIX SILVER acheter comparer prix ... BigFix :: Home Lauren Fix: The Car Coach ~ Automotive Expert ThinkGeek :: No, I will not fix your computer Security Fix Live - washingtonpost.com Digg - How Nintendo Can Fix Wii's Storage Space Problem without a ... BBC - Languages - Spanish Quick Fix NPR : Oprah Pledges to Fix School amid Abuse Reports Geotag your blog, site or feed Address Fix WordPress 2.0.6: Feedburner issue, and fix « Mark on WordPress High-fi fix for malfunctioning Guitar Hero III Les Paul - Engadget FIX, starring Shawn Andrews, Olivia Wilde, Megalyn Echikunwoke ... WinSock XP Fix 1.2 Freeware download page - tested and reviewed ... Tricky fix-up plan devised for space station- msnbc.com fix