Django security releases issued: 5.0.3, 4.2.11, and 3.2.25

In accordance with our security release policy, the Django team
is issuing
Django 5.0.3,
Django 4.2.11, and
Django 3.2.25.
These releases addresses the security issue detailed below. We encourage all
users of Django to upgrade as soon as possible.

CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words()

django.utils.text.Truncator.words() method (with html=True) and
truncatewords_html template filter were subject to a potential
regular expression denial-of-service attack using a suitably crafted string
(follow up to CVE-2019-14232 and CVE-2023-43665).

Thanks Seokchan Yoon for the report.

This issue has severity “moderate” according to the Django security policy.

Affected supported versions

Django 5.0
Django 4.2
Django 3.2

Resolution

Patches to resolve the issue have been applied to the 5.0, 4.2, and 3.2
release branches. The patches may be obtained from the following changesets:

On the 5.0 release branch
On the 4.2 release branch
On the 3.2 release branch

The following releases have been issued:

Django 5.0.3 (download Django 5.0.3 | 5.0.3 checksums)
Django 4.2.11 (download Django 4.2.11 | 4.2.11 checksums)
Django 3.2.25 (download Django 3.2.25 | 3.2.25 checksums)

The PGP key ID used for this release is Mariusz Felisiak: 2EF56372BA48CD1B.

General notes regarding security reporting

As always, we ask that potential security issues be reported via
private email to [email protected], and not via Django’s
Trac instance or the django-developers list. Please see our security
policies
for further
information.

Django accessibility in 2023 and beyond

Happy birthday, Django accessibility team! 🌈

The team has been up and running for three years, and is now looking for new members. With a lot happening in this space, we thought we were overdue for an update on what we’re up to.

Django accessibility in 2023

We’re very happy with the work done to date. There have been a lot of efforts to improve the accessibility of core Django features such as forms, and of the administrative interface. Beyond Django core, there has also been progress on djangoproject.com, Django packages, and community awareness via talks and events.

Django core

We made a lot of improvements this year. Django forms saw big fixes, which shipped in Django 5.0:

Fields’ help text and errors should be associated with input – #32819
Fields’ errors should be programmatically associated with fields – #32820

With forms being such a core feature of Django, reused across countless websites, those changes will lead to accessibility improvements across big parts of the web.

The admin interface also saw a lot of fixes and improvements:

Tab order should match visual order for admin model forms’ submit buttons – #33728
Low text contrast over light blue backgrounds in admin light theme – #34036
Ensures <meta name=”viewport”> does not disable text scaling and zooming – #34617
Admin action log entry types should be communicated to screen reader users – #34618
Django admin site name shouldn’t be an h1 – #34621
RelatedFieldWidgetWrapper links don’t convey their state for screen reader users – #34622
Active row states invisible for WHCM users – #34627
RelatedFieldWidgetWrapper link icons are very hard to see – #34628
Use banner landmark or <header> element for the admin header area – #34832
Use a main landmark in the admin interface – #34833
Use search role for the admin changelist search form – #34834
Use a nav element or navigation landmark for changelist filters – #34835
Date picker cancel button does not respect color theme/dark mode – #34857
Main landmark is on the wrong element – #34905
Accessible names for Add / Change buttons in Django Admin – #34909
Admindocs index skips from h1 to h3 – #34911
Admindocs back-links and bookmarklet help text is too small – #34912
Django Admin high contrast mode no clear session – #34913
Missing scope attribute in admin doc table headers – #34919

Some of those improvements will reflect for everyone, and some will only be beneficial for users of specific assistive technologies, such as Contrast themes in Windows:

→ Screenshot of the admin interface in a “Change redirect” form, in Windows high contrast mode with the “Black” theme.

Can you spot the five issues in this screenshot? Though Contrast Themes isn’t well known, it’s a built-in feature of Windows which is essential for people with low vision. There is a lot of room for improvement to better support it in Django.

We’ve also made a lot of progress on documenting accessibility considerations, though there is still work to be done there:

FAQ: What assistive technologies are supported for using the admin?
In progress: Accessibility guidelines for all contributors
In progress: Guidelines for accessibility considerations in documentation

And finally tooling improvements such as running accessibility checks in the CI pipeline is still a big topic for us, with in-progress efforts to add checks in Selenium tests and standalone with Pa11y.

Django website

In 2023, the website saw its first ever accessibility audit with a focus on the homepage, as well as a good number of accessibility improvements. Those are all very welcome iterative steps in the context of user research on the usability of the website, led by 20tab.

Display all header anchor link indicators, always – #1429
Add Keyboard Accessibility To Hamburger Menu – #1418
Fix selection css on dark mode – #1415
Add back to top link in documentation – #1370
Improve accessibility on warning admonitions – #1360
Accessibility review of djangoproject.com at DjangoCon Europe 2023

Thank you to our website contributors Sarah Abderemane, Thibaud Colas, ontowhee, Sanyam Khurana, Hana Burtin, Paolo Melchiorre, and Tom Carrick ❀.

Accessibility in our community

We’re elated to see accessibility being such a prominent topic in our community. In 2023, there were a lot of accessibility talks at Django events. There were accessibility contributors at the sprints for DjangoCon Europe, and DjangoCon US. The #accessibility channel on the Django Discord was also very active, and we got a new Accessibility forum category.

There were a lot of accessibility-focused talks at Django events:

Django Accessibility for Everyone – DjangoCon Europe 2023, by Lauren Parsons
Consider the Colourblind – Django Day CPH 2023, by Michael Nicholson
Best Practices for Making a Wagtail Site as Accessible as Possible – DjangoCon US 2023, by Scott Cranfill
Django’s accessibility track record – DjangoCon US 2023, by Thibaud Colas
Making Our Python Code More Accessible – PyOhio 2023, Dmitriy Chukhin & Janelle Bouchard

Our very own accessibility team member Sarah Abderemane was also featured on Django Chat: Accessibility – Sarah Abderemane 🎉, while Tom and Thibaud signed up for Djangonaut Space’s first session as navigators.

Behind the scenes, the accessibility team also started maintaining a backlog of django accessibility improvement, and also publish their accessibility team meeting notes on the forum.

Django accessibility in numbers

This year, we were able to produce statistics on the accessibility of Django projects, thanks to reports from the HTTP Archive. There is clear room for improvement, with Django websites generally scoring lower than sites built with other technologies:

→ Median Lighthouse website accessibility score of websites by framework. Source: HTTP Archive cwvtech.report, December 2023. Next.js: 85/100, Rails: 83, “All”: 82.5, Django: 80.5, ASP.NET: 79, Laravel: 78.5.

There is also clear data to establish exactly which accessibility issues are common on Django websites:

→ Difference in Lighthouse audit success rate for sites built with Django vs. average site, HTTP Archive 2023-04-01 data, Django vs. “All”. We see 8 metrics where Django does worse than average, and 8 where it does better.

We see those numbers as a good challenge for the Django community to explore ways in which the framework could be improved. There is clear room for improvement, and we have a lot of ideas on how to go about it.

Accessibility plans for 2024

There are a lot of ways in which the accessibility of Django could be improved in 2024. Here are a few ideas that have been discussed so far, where our accessibility team is looking for help:

Django ecosystem accessibility audits: Testing Trac or the Forum; or popular Django packages.
Creating an official Django demo site: converting Tom’s django-admin-demo to a ready-to-use official demo.
Stylesheets linting: To catch and fix common issues such as small font sizes or poor focus states.
Accessibility in docs: A possible big docs overhaul as a Google Season of Docs project.
New, accessible admin components: Addressing big gaps in the admin interface.
User testing: Working directly with users of assistive technologies.
An official Django accessibility statement: On the website, loud and clear.

New members

With this roadmap of improvements in mind, our accessibility team is looking for six new members in 2024. If this sounds like the type of valuable, high-purpose work you want to contribute to – reach out on the Django Discord in #accessibility, or on the forum.

Thank you

Thank you to everyone who took part in making Django more accessible in 2023 and early 2024. You rock!


You?

Come say hi on the forum

Django security releases issued: 5.0.2, 4.2.10, and 3.2.24

In accordance with our security release policy, the Django team
is issuing
Django 5.0.2,
Django 4.2.10, and
Django 3.2.24.
These releases address the security issue detailed below. We encourage all
users of Django to upgrade as soon as possible.

CVE-2024-24680: Potential denial-of-service in intcomma template filter

The intcomma template filter was subject to a potential denial-of-service
attack when used with very long strings.

Thanks Seokchan Yoon for the report.

This issue has severity “moderate” according to the Django security policy.

Affected supported versions

Django main branch
Django 5.0
Django 4.2
Django 3.2

Resolution

Patches to resolve the issue have been applied to Django’s main branch and the
5.0, 4.2, and 3.2 stable branches. The patches may be obtained from the
following changesets:

On the main branch
On the 5.0 release branch
On the 4.2 release branch
On the 3.2 release branch

The following releases have been issued:

Django 5.0.2 (download Django 5.0.2 | 5.0.2 checksums)
Django 4.2.10 (download Django 4.2.10 | 4.2.10 checksums)
Django 3.2.24 (download Django 3.2.24 | 3.2.24 checksums)

The PGP key ID used for this release is Natalia Bidart: 2EE82A8D9470983E

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email
to [email protected], and not via Django’s Trac instance, nor via
the Django Forum, nor via the django-developers list. Please see our security
policies
for further information.

DSF calls for applicants for a Django Fellow

After five years as part of the Django Fellowship program, Mariusz Felisiak has let us know that he will be stepping down as a Django Fellow in March 2024 to explore other things. Mariusz has made an extraordinary impact as a Django Fellow and has been a critical part of the Django community.

The Django Software Foundation and the wider Django community are grateful for his service and assistance.

The Fellowship program was started in 2014 as a way to dedicate high-quality and consistent resources to the maintenance of Django. As Django has matured, the DSF has been able to fundraise and earmark funds for this vital role. As a result, the DSF currently supports two Fellows – Mariusz Felisiak and Natalia Bidart. With the departure of Mariusz, the Django Software Foundation is announcing a call for Django Fellow applications. The new Fellow will work alongside Natalia.

The position of Fellow is focused on maintenance and community support – the work that benefits most from constant, guaranteed attention rather than volunteer-only efforts. In particular, the duties include:

Answering contributor questions on Forum and the django-developers mailing list
Helping new Django contributors land patches and learn our philosophy
Monitoring the [email protected] email alias and ensuring security issues are acknowledged and responded to promptly
Fixing release blockers and helping to ensure timely releases
Fixing severe bugs and helping to backport fixes to these and security issues
Reviewing and merging pull requests
Triaging tickets on Trac

Being a Django contributor isn’t a prerequisite for this position — we can help get you up to speed. We’ll consider applications from anyone with a proven history of working with either the Django community or another similar open-source community. Geographical location isn’t important either – we have several methods of remote communication and coordination that we can use depending on the timezone difference to the supervising members of Django.

If you’re interested in applying for the position, please email us at [email protected] describing why you would be a good fit along with details of your relevant experience and community involvement. Also, please include your preferred hourly rate and when you’d like to start working. Lastly, please include at least one recommendation.

Applicants will be evaluated based on the following criteria:

Details of Django and/or other open-source contributions
Details of community support in general
Understanding of the position
Clarity, formality, and precision of communications
Strength of recommendation(s)

Applications will be open until 1200 AoE, February 16, 2024, with the expectation that the successful candidate will be notified no later than March 1, 2024.

DjangoCon Europe 2025 Call for Proposals

DjangoCon Europe 2024 will be held June 5th-9th in Vigo, Spain but we’re already looking ahead to the 2025 conference. Could your town – or your football stadium, circus tent, private island or city hall – host this wonderful community event?

Hosting a DjangoCon is an ambitious undertaking. It’s hard work, but each year it has been successfully run by a team of community volunteers, not all of whom have had previous experience – more important is enthusiasm, organizational skills, the ability to plan and manage budgets, time and people – and plenty of time to invest in the project.

How to apply

We’ve set up a working group of previous DjangoCon Europe organizers that you can reach out to with questions about organizing and running a DjangoCon Europe. [email protected]. There will also be an informational session set up towards the end of January or early February for interested organizers. Please email the working group to express interest in participating.

In order to give people the chance to go to many different conferences DjangoCon Europe should be held between January 5 and April 15 2025. Please read the licensing agreement the selected organizers will need to sign for the specific requirements around hosting a DjangoCon Europe

If you’re interested, we’d love to hear from you. This year we are going to do rolling reviews of applications, in order to hopefully give more time and certainty to the selected proposal to start planning. The board will begin evaluating proposals on February 20th. The selection will be made at any time between February 20th and May 31st. The DSF Board will communicate when a selection has been made and the application process is complete. IF you are interested in organizing it is in your best interest to get a good proposal in early.

Following the established tradition, the selected hosts will be publicly announced at this year’s DjangoCon Europe by the current organizers.

The more detailed and complete your proposal, the better. Things you should consider, and that we’d like to know about, are:

dates Ideally between early January and mid April 2025
numbers of attendees
venue(s)
accommodation
transport links
budgets and ticket prices
committee members

We’d like to see:

timelines
pictures
prices
draft agreements with providers
alternatives you have considered

Email your proposals to [email protected]. We look forward to reviewing great proposals that continue the excellence the whole community associates with DjangoCon Europe.

DSF membership now recognizes a much broader range of contributions to Django

Recently, the DSF made some changes to our bylaws to change the definition of DSF Membership. You can read the legalese of the new language in the meeting minutes for the October 12 board meeting, but here’s the short version: previously, individual membership required contribution of intellectual property (e.g. code or documentation) we’ve changed it so that individual membership now recognizes broader contributions to the DSF’s mission. That still includes code and docs, but now also includes many more activities: organizing a Django event, serving on a Working Group, maintaining a third-party app, moderating Django community spaces, and much more. (Corporate membership hasn’t changed; this just applies to individual membership.)

The DSF’s mission, as described in our bylaws, is: 

The Foundation’s purposes shall include, but not be limited to, developing and promoting the Django framework for free and open public use among the worldwide web development community, protecting the framework’s long-term viability, and advancing the state of the art in web development.

Membership, then, recognizes material contributions to that mission. This is deliberately broad and inclusive: we want to allow as broad a definition of “contribution” as possible – including, critically, contributions to the community as well as code contributions. But we do want those contributions to be “material”: we want to recognize substantial or sustained contributions, not one-offs or “drive-by” contributions.

Because this definition of “material” is somewhat deliberately vague, we’ve prepared an FAQ that outlines several examples of things we believe do and do not qualify someone for membership. Ultimately, though, if you’re not sure: please apply anyway! We generally try to err on the side of saying “yes”.

To join the DSF under these new, more inclusive rules, fill out the application form here. The Board approves new members at its monthly meeting, so you can expect to hear back within about a month.

DSF Board 2024 Elections – New board members 👋

Following our
2024 DSF Board Election Results, here are quick introductions from our two new board members, Sarah
Abderemane and Thibaud Colas, elected for a two-year term for 2024-2025.

Collage: Sarah on the left, smiling, in the Versailles Hall of Mirrors. Thibaud on the right, in a field, looking in the distance with a boy on his shoulders.

Sarah Abderemane

Sarah Abderemane, also known as sabderemane, is a software developer in
France. She currently works at Kraken Tech, part of the Octopus Energy group,
contributing to solutions to climate change. She works mainly on the backend,
but also likes to work on the frontend in her spare time.

She organizes the
Django Paris
meetup and is an active member of the Django community: she is one of the
organizers of the
Djangonaut Space
program, a member of the

Django Accessibility team

and maintainer of
djangoproject.com.

Outside of open source and work, she is passionate about dance, likes
customizing things like mechanical keyboards, and loves to travel to discover
new cultures.

Social media and blog:

Blog:
sarahabd.com

Mastodon:
@[email protected]

Twitter:
@sabderemane_

LinkedIn:
@sarahabd

Thibaud Colas

Thibaud Colas (pronounced /tee-bo/) is a developer based in the UK, working for Torchbox on the
Wagtail
open source CMS as part of the core team. For Wagtail, Thibaud also
contributes to efforts around accessibility, developer relations, as well as
participation to programs like Outreachy and Google Summer of Code.

For Django, Thibaud has been involved with organizing and volunteering at
events like
Django Girls
and
DjangoCon Europe. More recently, he helped start the accessibility team, and has joined the
Djangonaut Space program as a navigator.

Outside of work, Thibaud spends most of his time with two little tornadoes
that are 5 and 2 years old. He also enjoys watching sumo and baking macarons.
To learn more about Thibaud, check out his personal website
thib.me
,
@thibaud_colas
on Twitter/X,
@[email protected]
on Mastodon.

Meeting our new board members

Both Sarah and Thibaud are active on the Django Forum, come say hi in their introduction thread!

They will also be taking part in a mini Django contributions sprint and lead discussions on the “Future of Django” as part of Django Cologne’s 50th Meetup.

Unlock Early Savings: Early Bird Tickets for DjangoCon Europe 2024 Now Available!

You can take advantage of our Early Bird ticket sale for DjangoCon Europe 2024. By purchasing your tickets early, you not only guarantee your attendance at one of the most exciting Django events but also enjoy significant savings.

Buy tickets on the conference website

Why Go Early?

You can secure your tickets at a special Early Bird rate, providing exceptional value for your conference experience.

Also, your early commitment goes a long way in supporting the success of DjangoCon Europe 2024. It helps us plan better and ensure a seamless event.

Act now and secure your Early Bird tickets before the sale closes on April 31st. Don’t miss out on the chance to save and be a part of this exciting event.

We can’t wait to welcome you to DjangoCon Europe 2024!