The Django security team recently rushed out a fix in two days time, start to finish. We discuss the normal security cadence and why staying on the latest Django release is so important.
Will Vincent 0:06
Hello, and welcome to another episode of Django chat, a weekly podcast on the Django web framework. I'm Will Vincent joined, as always by Carlton Gibson. Hello, Carlton, Hello Will. And this week, I thought we talked about security releases, because there was a particularly interesting one recently. And so I'll tee it up, and then I'll let you do the talking since you are one of the Django fellows. So Django has a great security policy and does regular releases outside of the major releases. So major releases would be 2.012 3.0, which came out in December. And then after that, there are 3.0 point 1.2, which are minor releases, which are almost always security related. So let's talk in let's talk about what's a normal process for that. And then we'll get to this most recent one, which was a little bit interesting. Okay, so assuming it's not like 3.0, which is a big release and they that we have a whole beta release
Carlton Gibson 0:58
sequence for that. So We'd First of all, we'll do a an alpha and then as a six, resolve that as a beta, and then as a release candidate and as a final release, so you can follow those in there kind of outside of the normal cadence. But then there's a month, there's basically a monthly Django release. So it'll either be 3.0, or 3.0, point one or 3.0. Point two. And these are bug fixes in new features, essentially, or data loss bugs, which we will backport then to other versions, so if you know what's currently supported one point 11 is just about to go end of life upgrade if you're on that 2.2. And then 3.0, or current versions, and so say there's a data loss, or data loss bug in 2.2, will will release a version of that, and that's on a monthly schedule, and it's normally at the beginning of the month, the first the second or third, you know, whatever the first Monday is normally and then the other kind of release that you get as part of those is a security release and normally that hit we will try nine those on the first Monday of the month as well, just as the normal cycle, you know However, you've mentioned one recently, where we put out mid month Yes.
Will Vincent 2:03
What? Yes. Well, yeah. So from from a distance, something emerged. And within I think two days, it had gone through all the processes and was released to everyone. But what's the deep dive? We can put a link right? So yeah, it was, what was the specific bug that came out? It was okay. So don't find it or something. No, there was a, there was a bug with a click. There's like hijacking. Right? Yeah. So So now is that password reset? Yeah,
Carlton Gibson 2:27
by the password reset form. So, Unicode, God bless you. And this is why you have to be using a framework like Django, right? Because you would never ever in a million, never find this bug yourself and be able to fix this bug yourself and secure your own system if you write this code
by hand, but because there's millions of people using it, you get those fix, right.
But that if for instance, you've got a an email address, Mike cut example.com, right. That's the one we use in the test case, but there's a there's a Unicode character which is The, the Turkish lowercase I without a dot, right, and that when it's compared by a database, normally Postgres, my SQL, but SQL lite doesn't have this issue. But though, the normal lowercase i and this Turkish lowercase I without a dot, which are not the same character, compare the same when you do a, an equality test in the database to look up the email address. So in principle, somebody could register an address a Unicode look alike address for your email address, they would have to be the same domain. So it has to be like, you know, google.com or somewhere where they could get an email address on the same domain, or domain, which lowercase equivalent, of course, and then they could get sent the reset token for your password, and then they could reset your password. They could capture you, they could capture your account. And this was discovered as a vulnerability on GitHub, and get pub published a blog post on their security blog and telling the world about it which obviously Went to the front page of Hacker News. And then Simon shell he was one of the major contributors to Django was like, hang on that affects us. And so this was on them. This was on like the Monday or the Tuesday, and we had to release out on the Wednesday afternoon, which is as quick as we can do it, to be honest. Because it was it's potentially devastating.
Will Vincent 4:21
And I think also didn't Marcus holderman He also Yep, code are we gonna let's let's talk about the name well, right, because this is like, you know, these, these people labor in the dark, largely so GitHub released this thing. Simon shell at saw or one it was one of the people who saw it and raise the flag.
Carlton Gibson 4:38
Jay. So Marcus holderman, as you've said, James Bennett was Yes,
Will Vincent 4:42
I know. James was up super late involved.
Carlton Gibson 4:46
Marius, the other younger fellow was there. I was working on it. Who else probably other people. Yeah, we're directly involved. But those people I definitely remember on the ticket on the issue. And there was A lot of activity that went on behind the scenes to get it out big normally, normally, we pre announced a security release. So normally we hit a week before we'll publicly announce it. And we have a security policy for you know, if you need advance notification. Normally that would be if you're like red hat and you're packaging Django up for your package manager, you might need the security patches a little bit in advance just so you can get get that patch in place. So people can yum update their install Django this time we weren't able to do that because it was so high profile and so protect you know, it's a big
Will Vincent 5:37
issue. It's not a minor thing.
Carlton Gibson 5:39
It's a big issue. It's not a minor thing. So we just we announced it as soon as we were sure we got the CVE which is the there's a database of security, Yes, right. Which you need a number for so they've got these numbers, CVE 2019, you know, 1148 or whatever. And we released it you On the Wednesday,
Will Vincent 6:01
now how how can an average Django user know about this so that it was tweeted out? There's like, what's the best way? And shout out, I launched a Django newsletter with Jeff Triplett, Django news, Django dash news calm that will mention things like this, because in this case, because I saw it, you know, it was very, like the wording said, you know, this is like the high priority, but I'm, where should people look for this, right? There's the security Email Feed, right? will be the number one should look to, you know, when something like this happens, where it's like, we really do need to update now.
Carlton Gibson 6:35
Okay, so there's a mailing lists called Jango. Announce, which is a Google group, which you get an email for, and we send that's where we're sending the pre announced saying that the security releases are coming. So normally on security rates, you get a week's notice. For this one, you've got days notice because that was all we had. Then there's the Django blog, which you should subscribe to it. Make sure you get notifications about you know, Django con Europe or You know, the each each released there's a release blog post for each release, which tells you about the release what's in there what's, you know, what you need to do. There's a Twitter account you can follow. Where else I think that's about it. I think those are the the main sources then Django news EMA?
Will Vincent 7:16
Yeah. Well, I'll admit publicly, I see that I'm actually not in the Django announced Google Groups. I just signed up. I mean, a half a dozen other ones, but not that one. So
Carlton Gibson 7:25
it depends. It depends what you like. So the blog post comes out, like immediately. Yeah, I mean, then. So if you've got an RSS if you've got an RSS reader that you subscribe to that will appear in your RSS reader. If you're on Twitter, that's automatically tweeted out, so but Twitter's easy to miss, so I wouldn't use that as a reliable source. And then just be on that latest version, whichever it is. So if you're on 2.2 be on 2.2 point eight, or 2.2 point nine and then be ready to update to 2.2 point 10 when it's released and do that monthly. Yeah, if you're on, you know, if you're on the latest major release.
Will Vincent 7:58
Well, I thought just This was a great example of the small number of people in the dark who make Django happen make it secure. You know, again, James Bennett, who's been involved with Django for forever. The next day, he was on a Django Software Foundation monthly meeting, which I'm on now and you know, he was quite tired. So he's going from one thing to another plus holding down a job and same for basically everyone else. This isn't their job. They're not getting paid to do this. They do. Because they care. And
Carlton Gibson 8:28
yeah, and you know, your long term contributors have been there for ages. They are so knowledgeable. It's just mind blowing like James. James was able to point to the right RFC where discuss it or not, yeah, technical document, where it discusses the exact algorithm you have to use to do safe comparison of Unicode strings. And you know, that knowledge just isn't I don't have it and you know, 99% of people don't have But James has got it and he what he doesn't know well, Florian will know or Simon will know You know, and you know, there's a dozen people perhaps on the security team who really they really know this stuff.
Will Vincent 9:08
Yeah. Yes, well, so as ever, the more I learned about Django The more I appreciate all this work that's done to make it what it is. And I actually I just quickly mentioned, I was elected to the board. So there's a Django Software Foundation Board. So thank you, community. So I now one of seven people on that who meet monthly who and I'm the treasurer. So deal with things like paying the fellows sponsors. We'll do an episode on that. But I'm learning more about Django and hopefully I'll share that with podcast listeners since I think most podcast listeners don't know either. Much of how Django is run we all just take it for granted.
Carlton Gibson 9:44
Yeah no means just pip install Django that's that's it? No.
Will Vincent 9:50
All right. Anything else this this is a short episode but we wanted to highlight that security release because again, I in my world, all the fire alarms are going off and I was like, oh my god like this is This is something we should highlight to people because it doesn't just happen. Without action,
Carlton Gibson 10:04
ya know, all in all I'd say is, is, you know, sponsor DSF, obviously. But beyond that latest version and be prepared to update monthly, it's just a point release, we shouldn't break anything, you know, if it's a bit of a security issue in the small breaking changes, small breaking change. So one previously, for the admin in 2.1, reintroduce read only views. And in 2.1, you could have a read only parent with editable in lines. And it turned out that that wasn't going to be sustainably secure. So we had to pull that out. And now if unless the parent models editable, the whole view will be read only. And that's more secure. And you can work around that by implementing custom views. But that was a breaking change. We made that with some great discussion. We looked at alternatives and we looked at whether those were sustainable, and we're like no, but if you're on the latest version, it's an easy update and Okay, that there was a small breaking change if you're needing that you've got a code around it, but you know, for security issues, you can't You
Will Vincent 11:01
can't quibble. Yeah. And yet another example of your analogy of the car. This is just maintenance. If you're up to date, it's easier to stay up to date. You have your test suite. Right. And you just run it. Yeah. And you're good to go.
Carlton Gibson 11:14
Yeah, it's like if you need new tires, you put new tires on because otherwise you crash.
Will Vincent 11:18
Yes.
Well, thank you, everyone, for listening. Thank you, Carlton, for you and the fellows and the community that does all this work. I appreciate it. And that is about it, I think.
Carlton Gibson 11:31
Okay. Well, thanks for joining us. Join us next time. Bye bye.
Will Vincent 11:34
Okay. Bye bye.