Security releases issued

In accordance with our security release policy, the Django team is issuing multiple releases -- Django 1.4.20, 1.6.11, 1.7.7 and 1.8c1. These releases are now available on PyPI and our download page. These releases address several security issues detailed below. We encourage all users of Django to upgrade as soon as possible. The Django master branch has also been updated.

Django 1.8 is now at release candidate stage. This marks the string freeze and the call for translators to submit translations. Provided no major bugs are discovered that can't be solved in the next two weeks, 1.8 final will be issued on or around April 1. Any delays will be communicated on the django-developers mailing list thread.

Mitigated possible XSS attack via user-supplied redirect URLs Django relies on user input in some cases (e.g. django.contrib.auth.views.login and i18n) to redirect the user to an "on success" URL. The security checks for these redirects (namely django.utils.http.is_safe_url() ) accepted URLs with leading control characters and so considered URLs like \x08javascript:... safe. This issue doesn't affect Django currently, since we only put this URL into the Location response header and browsers seem to ignore JavaScript there. Browsers we tested also treat URLs prefixed with control characters such as %08//example.com as relative paths so redirection to an unsafe target isn't a problem either. However, if a developer relies on is_safe_url() to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack as some browsers such as Google Chrome ignore control characters at the start of a URL in an anchor href . Thanks Daniel Chatfield for reporting the issue. This issue has been assigned the identifier CVE-2015-2317.

Affected versions Django master development branch

Django 1.8 (currently at release candidate status)

Django 1.7

Django 1.6

Django 1.4 (is_safe_url() issue only) Per our supported versions policy, Django 1.5 is no longer receiving security updates.