The Django weblog

2025 DSF Board Nominations

Thibaud Colas — Wed, 25 Sep 2024 11:03:45 -0500

Nominations are open for the 2025 Django Software Foundation Board of Directors.

In 2023 we introduced a staggered term for directors. Of our 7 directors, there are 4 positions currently open, with each position serving for two years.

Decisions around the 2025 officer roles will be made during the meeting of the new board. You don’t need to specify which position you are nominating for.

As you know, the Board guides the direction of the marketing, governance and outreach activities of the Django community. We provide funding, resources, and guidance to Django events on a global level. Further we provide support to the Django community with an established Code of Conduct and make decisions and enforcement recommendations for violations. We work with our corporate and individual members to raise funds to help support our great community.

In order for our community to continue to grow and advance the Django Web framework, we need your help. The Board of Directors consists of seven volunteers who are elected to two year terms. This is an excellent opportunity to help advance Django. We can’t do it without volunteers, such as yourself. Anyone including current Board members, DSF Members, or the public at large can apply to the Board. It is open to all.

2025 DSF Board Nomination Form

If you are interested in helping to support the development of Django we’d enjoy receiving your application for the Board of Directors. Please fill out the 2025 DSF Board Nomination form by October 25, 2024 Anywhere on Earth to be considered.

If you have any questions about applying, the work, or the process in general please don’t hesitate to reach out via email to foundation@djangoproject.com.

Thank you for your time and we look forward to working with you in 2025.

The 2024 DSF Board of Directors.

PyCharm & Django Campaign 2024 - encore

Thibaud Colas and JetBrains — Mon, 23 Sep 2024 06:43:13 -0500

The Django Software Foundation's biggest fundraising event of the year is here!

Get 30% off PyCharm, Support Django

Each year, our friends at JetBrains, the creators of PyCharm, run an incredible deal. You get a 30% discounted year of PyCharm, AND the DSF gets 100% of the money. Yes, 100%! It's making a donation and directly getting a great product in return! This is available for new users, and those who had used PyCharm in the past, stopped, and want to try again.

The fundraiser

The fundraiser started during DjangoCon Europe in June, and is now back on from September 22nd to October 6th. Buy PyCharm and support Django!

In the past, JetBrains through the PyCharm fundraiser has provided approximately one quarter of the Django Software Foundation's budget!

Donations like this fundraiser allow the DSF to function. Our two wonderful Fellows, Natalia Bidart and Sarah Boyce keep Django running smoothly, picking up pieces that would otherwise not happen.

The other side of the DSF is our support for Django groups across the globe. We supported every DjangoCon, particularly with donating funding towards opportunity grants for more people to be able to attend these conferences. The DSF also supports smaller events around the world, including DjangoGirls events.

PyCharm

Finally, I want to tell you about PyCharm itself.

PyCharm is an integrated development environment (IDE) that helps professional Python web developers be more productive, be more confident, and write better code. It supports the full Python web workflow out of the box, including popular Python web frameworks, such as Django, frontend technologies, and databases.

Here are the main benefits of using PyCharm in your Django development:

Django (including templates), Flask, FastAPI
Database management (Postgres, Redis)
JS, React, Node.js, TailwindCSS
Built-in HTTP Client and endpoint tools

Get Django work done with PyCharm, a powerful IDE tailored for Django web development!

Consider this the easiest charitable donation you will ever make, when you get such a great product in return!

Get 30% off PyCharm, Support Django

Other ways to donate

If you would like to donate in another way, especially if you are already a PyCharm customer, here are other ways to donate to the DSF:

On our website via credit card
Via GitHub Sponsors
For those able to make a larger donation, particularly corporate sponsors ($2000+), more information is here: Corporate membership

Last call for DjangoCon US 2024 tickets!

DjangoCon US Organizers — Wed, 18 Sep 2024 07:00:00 -0500

DjangoCon US starts next week in Durham, NC on September 22nd!

If you aren't able to join in person, please consider purchasing an online ticket: https://ti.to/defna/djangocon-us-2024

The conference is full of a variety of talks with excellent keynote speakers! It's shaping up to be an event you'll want to experience live.

If you'd like to learn more about DjangoCon US visit them at their website or reach out to them at hello@djangocon.us.

Nominate a Djangonaut for the 2024 Malcolm Tredinnick Memorial Prize

Thibaud Colas — Mon, 16 Sep 2024 00:01:01 -0500

Hello Everyone 👋 It is that time of year again when we recognize someone from our community in memory of our friend Malcolm.

Malcolm was an early core contributor to Django and had both a huge influence and impact on Django as we know it today. Besides being knowledgeable he was also especially friendly to new users and contributors. He exemplified what it means to be an amazing Open Source contributor. We still miss him to this day.

The prize

The Django Software Foundation Prizes page summarizes it nicely:

The Malcolm Tredinnick Memorial Prize is a monetary prize, awarded annually, to the person who best exemplifies the spirit of Malcolm’s work - someone who welcomes, supports, and nurtures newcomers; freely gives feedback and assistance to others, and helps to grow the community. The hope is that the recipient of the award will use the award stipend as a contribution to travel to a community event -- a DjangoCon, a PyCon, a sprint -- and continue in Malcolm’s footsteps.

Please make your nominations using our form: 2024 Malcolm Tredinnick Memorial Prize. Nominations are welcome from everyone.

We will take nominations until Monday, September 30th, 2024, Anywhere on Earth, and will announce the winner(s) soon after the next DSF Board meeting in October. If you have any questions please reach out to the DSF Board at foundation@djangoproject.com.

Submit a nomination

Djangonaut Space - New session 2024

Sarah Abderemane — Fri, 06 Sep 2024 11:33:15 -0500

We are thrilled to announce that Djangonaut Space, a mentorship program, is open for applicants for our next cohort!

Djangonaut Space is holding a third session this year! This session will start on October 14th, 2024. We are accepting applications until September 14th, 2024. More details can be found in the website.

Djangonaut Space is a free, 8-week group mentoring program where individuals will work self-paced in a semi-structured learning environment. It seeks to help members of the community who wish to level up their current Django code contributions and potentially take on leadership roles in Django in the future.

“I signed up for this program with the goal of starting my journey as a contributor, but I ended up gaining so much more. In this community, I found incredible people who not only guide you toward solutions but also encourage and celebrate every achievement along the way.” - Raffaella, Djangonaut

If you have questions, they are holding an AMA session on Zoom next week. See their social media account for more details:

Django security releases issued: 5.1.1, 5.0.9, and 4.2.16

Natalia Bidart — Tue, 03 Sep 2024 06:00:00 -0500

In accordance with our security release policy, the Django team is issuing releases for Django 5.1.1, Django 5.0.9, and Django 4.2.16. These releases address the security issues detailed below. We encourage all users of Django to upgrade as soon as possible.

CVE-2024-45230: Potential denial-of-service vulnerability in `django.utils.html.urlize()`

urlize and urlizetrunc were subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.

Thanks to MProgrammer for the report.

This issue has severity "moderate" according to the Django security policy.

CVE-2024-45231: Potential user email enumeration via response status on password reset

Due to unhandled email sending failures, the django.contrib.auth.forms.PasswordResetForm class allowed remote attackers to enumerate user emails by issuing password reset requests and observing the outcomes.

To mitigate this risk, exceptions occurring during password reset email sending are now handled and logged using the django.contrib.auth logger.

Thanks to Thibaut Spriet for the report.

This issue has severity "low" according to the Django security policy.

Affected supported versions

Django main branch
Django 5.1
Django 5.0
Django 4.2

Resolution

Patches to resolve the issue have been applied to Django's main, 5.1, 5.0, and 4.2 branches. The patches may be obtained from the following changesets.

CVE-2024-45230: Potential denial-of-service vulnerability in django.utils.html.urlize()

On the main branch
On the 5.1 branch
On the 5.0 branch
On the 4.2 branch

CVE-2024-45231: Potential user email enumeration via response status on password reset

On the main branch
On the 5.1 branch
On the 5.0 branch
On the 4.2 branch

The following releases have been issued

Django 5.1.1 (download Django 5.1.1 | 5.1.1 checksums)
Django 5.0.9 (download Django 5.0.9 | 5.0.9 checksums)
Django 4.2.16 (download Django 4.2.16 | 4.2.16 checksums)

The PGP key ID used for this release is Natalia Bidart: 2EE82A8D9470983E

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance, nor via the Django Forum, nor via the django-developers list. Please see our security policies for further information.

Could you host DjangoCon Europe 2026? Call for organizers

Thibaud Colas & DjangoCon Europe Support working group — Wed, 28 Aug 2024 07:59:23 -0500

We are looking for the next group of organizers to own and lead the 2026 DjangoCon Europe conference. Could your town - or your football stadium, circus tent, private island or city hall - host this wonderful community event?

DjangoCon Europe is a major pillar of the Django community, as people from across the world meet and share. This includes many qualities that make it a unique event - unconventional and conventional venues, creative happenings, a feast of talks and a dedication to inclusion and diversity.

Hosting a DjangoCon is an ambitious undertaking. It's hard work, but each year it has been successfully run by a team of community volunteers, not all of whom have had previous experience - more important is enthusiasm, organizational skills, the ability to plan and manage budgets, time and people - and plenty of time to invest in the project.

For 2026, we want to kickstart the organization much earlier than in previous years to allow more flexibility for the organizing team, and open up more opportunities for support from our DjangoCon Europe support working group.

Step 1: Submit your expression of interest

If you’re considering organizing DjangoCon Europe (🙌 great!), fill in our DjangoCon Europe 2026 expression of interest form with your contact details. No need to fill in all the information at this stage if you don’t have it all already, we’ll reach out and help you figure it out.

Express your interest in organizing

Step 2: We’re here to help!

We've set up a DjangoCon Europe support working group of previous organizers that you can reach out to with questions about organizing and running a DjangoCon Europe.

The group will be in touch with everyone submitting the expression of interest form, or you can reach out to them directly: european-organizers-support@djangoproject.com

We'd love to hear from you as soon as possible, so your proposal can be finalized and sent to the DSF board by October 6th 2024. The selected hosts will be publicly announced at DjangoCon Europe 2025 by the current organizers.

Step 3: Submitting the proposal

The more detailed and complete your final proposal is, the better. Basic details include:

Organizing committee members: You won’t have a full team yet, probably, naming just some core team members is enough.
The legal entity that is intended to run the conference: Even if the entity does not exist yet, please share how you are planning to set it up.
Dates: See “What dates are possible in 2026?” below. We must avoid conflicts with major holidays, EuroPython, DjangoCon US, and PyCon US.
Venue(s), including size, number of possible attendees, pictures, accessibility concerns, catering, etc.
Transport links and accommodation: Can your venue be reached by international travelers?
Budgets and ticket prices: Talk to the DjangoCon Europe Support group to get help with this, including information on past event budgets.

We also like to see:

Timelines
Pictures
Plans for online participation, and other ways to make the event more inclusive and reduce its environmental footprint
Draft agreements with providers
Alternatives you have considered

Have a look at our proposed (draft, feedback welcome) DjangoCon Europe 2026 Licensing Agreement for the fine print on contractual requirements and involvement of the Django Software Foundation.

Submit your completed proposal by October 6th 2024 via our DjangoCon Europe 2026 expression of interest form, this time filling in as many fields as possible. We look forward to reviewing great proposals that continue the excellence the whole community associates with DjangoCon Europe.

Q&A

Can I organize a conference alone?

We strongly recommend that a team of people submit an application.

I/we don’t have a legal entity yet, is that a problem?

Depending on your jurisdiction, this is usually not a problem. But please share your plans about the entity you will use or form in your application.

Do I/we need experience with organizing conferences?

The support group is here to help you succeed. From experience, we know that many core groups of 2-3 people have been able to run a DjangoCon with guidance from previous organizers and help from volunteers.

What is required in order to announce an event?

Ultimately, a contract with the venue confirming the dates is crucial, since announcing a conference makes people book calendars, holidays, buy transportation and accommodation etc. This, however, would only be relevant after the DSF board has concluded the application process. Naturally, the application itself cannot contain any guarantees, but it’s good to check concrete dates with your venues to ensure they are actually open and currently available, before suggesting these dates in the application.

Do we have to do everything ourselves?

No. You will definitely be offered lots of help by the community. Typically, conference organizers will divide responsibilities into different teams, making it possible for more volunteers to join. Local organizers are free to choose which areas they want to invite the community to help out with, and a call will go out through a blog post announcement on djangoproject.com and social media.

What kind of support can we expect from the Django Software Foundation?

The DSF regularly provides grant funding to DjangoCon organizers, to the extent of $6,000 in recent editions. We also offer support via specific working groups:

The dedicated DjangoCon Europe support working group.
The social media working group can help you promote the event.
The Code of Conduct working group works with all event organizers.

In addition, a lot of Individual Members of the DSF regularly volunteer at community events. If your team aren’t Individual Members, we can reach out to them on your behalf to find volunteers.

What dates are possible in 2026?

For 2026, DjangoCon Europe should happen between January 5th and April 27th, or June 4th and June 28th. This is to avoid the following community events’ provisional dates:

PyCon US 2026: May 2026
EuroPython 2026: July 2026
DjangoCon US 2026: September - October 2026
DjangoCon Africa 2026: August - September 2026

We also want to avoid the following holidays:

New Year's Day: Wednesday 1st January 2026
Chinese New Year: Tuesday 17th February 2026
Eid Al-Fitr: Friday 20th March 2026
Passover: Wednesday 1st - Thursday 9th April 2026
Easter: Sunday 5th April 2026
Eid Al-Adha: Tuesday 26th - Friday 29th May 2026
Rosh Hashanah: Friday 11th - Sunday 13th September 2026
Yom Kippur: Sunday 20th - Monday 21st September 2026

What cities or countries are possible?

Any city in Europe. This can be a city or country where DjangoCon Europe has happened in the past (Vigo, Edinburgh, Porto, Copenhagen, Heidelberg, Florence, Budapest, Cardiff, Toulon, Warsaw, Zurich, Amsterdam, Berlin), or a new locale.

References

Past calls

Django 5.1 released

Natalia Bidart — Wed, 07 Aug 2024 08:00:00 -0500

The Django team is happy to announce the release of Django 5.1.

The release notes showcase a kaleidoscope of improvements. A few highlights are:

Easier guardrails for authentication: the new and shiny LoginRequiredMiddleware, when added to MIDDLEWARE, enforces authentication for all views by default.
A more inclusive framework: Django 5.1 includes several accessibility enhancements, such as improved screen reader support in the admin interface, more semantic HTML elements, and better association of help text and labels with form fieldsets.
The second oldest ticket fixed in this release provides the long awaited querystring template tag, which greatly simplifies the handling of query strings when building URLs in templates.

(If you are curious about the oldest ticket fixed in this release, check out Ticket #10743.)

You can get Django 5.1 from our downloads page or from the Python Package Index. The PGP key ID used for this release is Natalia Bidart: 2EE82A8D9470983E.

With the release of Django 5.1, Django 5.0 has reached the end of mainstream support. The final minor bug fix release, 5.0.8, was issued yesterday. Django 5.0 will receive security and data loss fixes until April 2025. All users are encouraged to upgrade before then to continue receiving fixes for security issues.

See the downloads page for a table of supported versions and the future release schedule.

Django security releases issued: 5.0.8 and 4.2.15

Sarah Boyce — Tue, 06 Aug 2024 08:39:29 -0500

In accordance with our security release policy, the Django team is issuing releases for Django 5.0.8 and Django 4.2.15. These releases address the security issues detailed below. We encourage all users of Django to upgrade as soon as possible.

CVE-2024-41989: Memory exhaustion in `django.utils.numberformat.floatformat()`

The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent.

Thanks to Elias Myllymäki for the report.

This issue has severity "moderate" according to the Django security policy.

CVE-2024-41990: Potential denial-of-service in `django.utils.html.urlize()`

The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.

Thanks to MProgrammer for the report.

This issue has severity "moderate" according to the Django security policy.

CVE-2024-41991: Potential denial-of-service vulnerability in `django.utils.html.urlize()` and `AdminURLFieldWidget`

The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.

Thanks to Seokchan Yoon for the report.

This issue has severity "moderate" according to the Django security policy.

CVE-2024-42005: Potential SQL injection in `QuerySet.values()` and `values_list()`

QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.

Thanks to Eyal Gabay of EyalSec for the report.

This issue has severity "high" according to the Django security policy.

Affected supported versions

Django main branch
Django 5.1 (currently at release candidate status)
Django 5.0
Django 4.2

Resolution

Patches to resolve the issue have been applied to Django's main, 5.1, 5.0, and 4.2 branches. The patches may be obtained from the following changesets.

CVE-2024-41989: Memory exhaustion in `django.utils.numberformat.floatformat()`

On the main branch
On the 5.1 branch
On the 5.0 branch
On the 4.2 branch

CVE-2024-41990: Potential denial-of-service in `django.utils.html.urlize()`

On the main branch
On the 5.1 branch
On the 5.0 branch
On the 4.2 branch

CVE-2024-41991: Potential denial-of-service vulnerability in `django.utils.html.urlize()` and `AdminURLFieldWidget`

On the main branch
On the 5.1 branch
On the 5.0 branch
On the 4.2 branch

CVE-2024-42005: Potential SQL injection in `QuerySet.values()` and `values_list()`

On the main branch
On the 5.1 branch
On the 5.0 branch
On the 4.2 branch

The following releases have been issued

Django 5.0.8 (download Django 5.0.8 | 5.0.8 checksums)
Django 4.2.15 (download Django 4.2.15 | 4.2.15 checksums)

The PGP key ID used for this release is Sarah Boyce: 3955B19851EA96EF

General notes regarding security reporting

Django 5.1 release candidate 1 released

Natalia Bidart — Wed, 24 Jul 2024 05:51:52 -0500

Django 5.1 release candidate 1 is the final opportunity for you to try out a kaleidoscope of improvements before Django 5.1 is released.

The release candidate stage marks the string freeze and the call for translators to submit translations. Provided no major bugs are discovered that can't be solved in the next two weeks, Django 5.1 will be released on or around August 7. Any delays will be communicated on the on the Django forum.

Please use this opportunity to help find and fix bugs (which should be reported to the issue tracker), you can grab a copy of the release candidate package from our downloads page or on PyPI.

The PGP key ID used for this release is Natalia Bidart: 2EE82A8D9470983E

The Django weblog

2025 DSF Board Nominations

PyCharm & Django Campaign 2024 - encore

The fundraiser

PyCharm

Other ways to donate

Last call for DjangoCon US 2024 tickets!

Nominate a Djangonaut for the 2024 Malcolm Tredinnick Memorial Prize

The prize

Djangonaut Space - New session 2024

Django security releases issued: 5.1.1, 5.0.9, and 4.2.16

CVE-2024-45230: Potential denial-of-service vulnerability in django.utils.html.urlize()

CVE-2024-45231: Potential user email enumeration via response status on password reset

Affected supported versions

Resolution

CVE-2024-45230: Potential denial-of-service vulnerability in django.utils.html.urlize()

CVE-2024-45231: Potential user email enumeration via response status on password reset

The following releases have been issued

General notes regarding security reporting

Could you host DjangoCon Europe 2026? Call for organizers

Step 1: Submit your expression of interest

Step 2: We’re here to help!

Step 3: Submitting the proposal

Q&A

Can I organize a conference alone?

I/we don’t have a legal entity yet, is that a problem?

Do I/we need experience with organizing conferences?

What is required in order to announce an event?

Do we have to do everything ourselves?

What kind of support can we expect from the Django Software Foundation?

What dates are possible in 2026?

What cities or countries are possible?

References

Past calls

Django 5.1 released

Django security releases issued: 5.0.8 and 4.2.15

CVE-2024-41989: Memory exhaustion in django.utils.numberformat.floatformat()

CVE-2024-41990: Potential denial-of-service in django.utils.html.urlize()

CVE-2024-41991: Potential denial-of-service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget

CVE-2024-42005: Potential SQL injection in QuerySet.values() and values_list()

Affected supported versions

Resolution

CVE-2024-41989: Memory exhaustion in django.utils.numberformat.floatformat()

CVE-2024-41990: Potential denial-of-service in django.utils.html.urlize()

CVE-2024-41991: Potential denial-of-service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget

CVE-2024-42005: Potential SQL injection in QuerySet.values() and values_list()

The following releases have been issued

General notes regarding security reporting

Django 5.1 release candidate 1 released

CVE-2024-45230: Potential denial-of-service vulnerability in `django.utils.html.urlize()`

CVE-2024-41989: Memory exhaustion in `django.utils.numberformat.floatformat()`

CVE-2024-41990: Potential denial-of-service in `django.utils.html.urlize()`

CVE-2024-41991: Potential denial-of-service vulnerability in `django.utils.html.urlize()` and `AdminURLFieldWidget`

CVE-2024-42005: Potential SQL injection in `QuerySet.values()` and `values_list()`

CVE-2024-41989: Memory exhaustion in `django.utils.numberformat.floatformat()`

CVE-2024-41990: Potential denial-of-service in `django.utils.html.urlize()`

CVE-2024-41991: Potential denial-of-service vulnerability in `django.utils.html.urlize()` and `AdminURLFieldWidget`

CVE-2024-42005: Potential SQL injection in `QuerySet.values()` and `values_list()`