Django 2

Django 2.0.3, 1.11.11, &1.8.19 release, fix security flaws


Web Framework Django has been officially released version Django 2.0. This version no longer supports Python 2.x and adds a bunch of new features.

With Django, you can take Web applications from concept to launch in a matter of hours. Django takes care of much of the hassle of Web development, so you can focus on writing your app without needing to reinvent the wheel. It’s free and open source.


  • Ridiculously fastDjango was designed to help developers take applications from concept to completion as quickly as possible.
  • Fully loadedDjango includes dozens of extras you can use to handle common Web development tasks. Django takes care of user authentication, content administration, site maps, RSS feeds, and many more tasks — right out of the box.
  • Reassuringly secureDjango takes security seriously and helps developers avoid many common security mistakes, such as SQL injection, cross-site scripting, cross-site request forgery and clickjacking. Its user authentication system provides a secure way to manage user accounts and passwords.
  • Exceedingly scalableSome of the busiest sites on the planet use Django’s ability to quickly and flexibly scale to meet the heaviest traffic demands.
  • Incredibly versatileCompanies, organizations and governments have used Django to build all sorts of things — from content management systems to social networks to scientific computing platforms.

Changelog v2.0.3, 1.11.11, &1.8.19

CVE-2018-7536: Denial-of-service possibility in urlize and urlizetrunc template filters

The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (one regular expression for Django 1.8). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable.

CVE-2018-7537: Denial-of-service possibility in truncatechars_html and truncatewords_html template filters

If django.utils.text.Truncator‘s chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.


Leave a Reply

Your email address will not be published. Required fields are marked *