Today the Django team is issuing a new release -- Django 1.2.2 -- to remedy a security issue reported to us. This issue was disclosed independently by two different parties, and all users of Django 1.2 are urged to upgrade immediately.

As of the 1.2 release, the core Django framework includes a system, enabled by default, for detecting and preventing cross-site request forgery (CSRF) attacks against Django-powered applications. Previous Django releases provided a different, optionally-enabled system for the same purpose.

The Django 1.2 CSRF protection system involves the generation of a random token, inserted as a hidden field in outgoing forms. The same value is also set in a cookie, and the cookie value and form value are compared on submission.

The provided template tag for inserting the CSRF token into forms -- {% csrf_token %} -- explicitly trusts the cookie value, and displays it as-is. Thus, an attacker who is able to tamper with the value of the CSRF cookie can cause arbitrary content to be inserted, unescaped, into the outgoing HTML of the form, enabling cross-site scripting (XSS) attacks.

This issue was first reported via a public ticket in Django's Trac instance; while being triaged it was then independently reported, with broader description, by Jeff Balogh of Mozilla.

• Django development trunk
• Django 1.2

Because the current CSRF-protection system is new as of Django 1.2, older releases are unaffected.

Patches have been applied to Django trunk and to the 1.2 release branch to ensure the cookie value is never trusted and is always escaped. Future Django releases may migrate away from the use of a dedicated cookie to avoid the possibility of such issues.

Patches may be obtained directly from the appropriate changesets:

• Django trunk: Changeset 13698
• Django 1.2: Changeset 13699

The following release has been issued:

• Django 1.2.2 (download | checksums)

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list.

Due to the time-sensitive nature of this issue, our normal process of advance notification of distributors of Django was not followed; notification to distributors was sent just prior to issuance of this release. If you are or represent a third-party distributor of Django and did not receive a notification email from the Django release manager, please contact james@b-list.org.

As previously announced, today marks the release of Django 1.2.1, the first bugfix release in the Django 1.2 series. For the package itself, swing by our downloads page; and as always, signed checksums of the release package are available.

As a bugfix release, Django 1.2.1 contains no new features -- only the fixes for a few bugs noted in the previous announcements, along with two more tickets which had quick fixes available: #13592 and #13590.

As previously announced, today marks the release of Django 1.2.1, the first bugfix release in the Django 1.2 series. For the package itself, swing by our downloads page; and as always, signed checksums of the release package are available.

As a bugfix release, Django 1.2.1 contains no new features -- only the fixes for a few bugs noted in the previous announcements, along with two more tickets which had quick fixes available: #13592 and #13590.

As mentioned previously, we decided to hold off the release of Django 1.2.1 a bit to investigate a bug reported shortly after 1.2; I'm happy to announce that the relevant ticket has now been closed out, along with a couple of other tickets reported against 1.2. To be on the safe side, though, we're going to give Django 1.2 the rest of the weekend to shake out a bit, and release Django 1.2.1 on Monday, May 24.

Assuming no other critical issues come up over the weekend, Django 1.2.1 will differ from 1.2 in having an updated documentation builder, and the fixes for the following issues:

• #13577 -- updated Polish localization
• #13569 -- applying the correct username restrictions during superuser creation
• #13560 -- fix localization with SplitDateTimeField and other multi-value fields/widgets
• #13573 -- ensuring the cached template loader uses the correct full template path
• #13566 and #13563 -- fixing a few typos in the documentation.

As mentioned previously, we decided to hold off the release of Django 1.2.1 a bit to investigate a bug reported shortly after 1.2; I'm happy to announce that the relevant ticket has now been closed out, along with a couple of other tickets reported against 1.2. To be on the safe side, though, we're going to give Django 1.2 the rest of the weekend to shake out a bit, and release Django 1.2.1 on Monday, May 24.

Assuming no other critical issues come up over the weekend, Django 1.2.1 will differ from 1.2 in having an updated documentation builder, and the fixes for the following issues:

• #13577 -- updated Polish localization
• #13569 -- applying the correct username restrictions during superuser creation
• #13560 -- fix localization with SplitDateTimeField and other multi-value fields/widgets
• #13573 -- ensuring the cached template loader uses the correct full template path
• #13566 and #13563 -- fixing a few typos in the documentation.

It's official: DjangoCon US 2010 is a go!

We're back in Portland, Oregon September 7th-9th. Last year was a blast, and the planning team is working their butts off to make sure that this year is even better. Come on out to see some great talks and meet a bunch of awesome people.

Registration and talk submissions are open at djangocon.us, where you'll also find venue information, schedules, and all other conference details. You'll want to register soon: early bird rates end June 8th and we may sell out before then.

We'll be holding development sprints the three days following the conference (September 10th - 12th). The sprints, as always, are free, and everyone's invited (including those who didn't come to the conference).

This year there's a new crew bringing you the conference: DjangoCon US 2010 is being produced by Steve Holden's Mighty Python Empire, technically supported by Eldarion, and run by the community.

I hope to see you there!