Django updates address security bugs
The Django Project has released updates to the 1.2.x and 1.3.x branches of the Python-based web framework. According to the developers, versions 1.2.6 and 1.3.1 contain patches for a number of security problems found in previous versions; however, due to a problem with the 1.2.6 release tarball, the developers have issued Django 1.2.7.
The problems fixed include a session manipulation bug, a denial-of-service (DoS) vulnerability in Django's URLField, redirection issues with the URLField and a potential route to cache poisoning. All users are advised to upgrade to the latest versions as soon as possible.
There are though, a number of potential problems which are not fixed. For these, the developers are offering advice on how to mitigate a Django installation's exposure to them. For example, it is possible to by-pass Django's CSRF-protection mechanism with certain server configurations; the developers recommend thorough validation of headers to mitigate against this. Other problems addressed relate to how to obscure sensitive POST data in DEBUG pages and cookie-related CSRF mitigations.
The details of the updates and advice on mitigating other issues is available in a post on the Django weblog. Versions 1.2.7 and 1.3.1 of Django are available to download from the project's site. Django is released under the BSD licence.