Transcript: Security Releases

00:00.0

Hello, and welcome to another episode of Django Chat, a weekly podcast on the Django Web Framework.

00:10.4

I'm Will Vincent, joined as always by Carlton Gibson. Hello, Carlton.

00:13.7

Hello, Will.

00:14.5

And this week, I thought we'd talk about security releases because there was a particularly

00:18.3

interesting one recently. And so I'll tee it up and then I'll let you do the talking

00:22.5

since you are one of the Django fellows. So Django has a great security policy and does

00:27.1

regular releases outside of the major releases. So major releases would be 2.0, 1.2, 3.0, which

00:34.3

came out in December. And then after that, there's 3.0, 0.1, 0.2, which are minor releases, which are

00:41.2

almost always security related. So let's talk about what's a normal process for that. And then

00:47.0

we'll get to this most recent one, which was a little bit interesting. Okay, so assuming it's

00:51.1

not like 3.0 which is a big release and they they we have a whole um beta release um sequence for

00:59.6

that so we first of all we'll do a an alpha and then there's a six weeks after that there's a

01:04.4

beta and then there's a release candidate and there's a final release so you can follow those

01:07.7

and they're kind of outside of the normal cadence but then there's a month there's basically a

01:12.3

monthly django release so it'll either be 3.0 or 3.0.1 or 3.0.2 and these are bug fixes in new

01:20.2

features essentially or data loss bugs which we will backport then to other versions so if you

01:25.5

know what's currently supported 1.11 is just about to go end of life upgrade if you're on that 2.2

01:31.5

and then 3.0 are current versions and so say there's a data loss a data loss bug in 2.2 we'll

01:38.9

we'll release a version of that and that's on the monthly schedule and that's normally at the

01:42.5

beginning of the month of the first the second the third you know whatever the first monday is

01:46.1

normally and then the other kind of release that you get as part of those is a security release

01:52.5

and normally that hit we will try and land those on the on the first monday of the month as well

01:57.6

just as the normal cycle you know um however you mentioned one recently where we put out mid-month

02:03.7

yes well yes well yeah so from from a distance um something emerged and within i think two days

02:09.4

it had gone through all the processes and was released to everyone but what what's the the

02:14.3

deep dive we can put a link right so yeah it was what was the specific bug that came out it was

02:20.0

okay so we'll find it or something no there was a there was a bug was a click there's a hijacking

02:25.0

right yeah so so now is the password reset yeah via the password reset form so um unicode god

02:32.2

bless you and this is why you have to be using a framework like django right because you would

02:36.1

never ever in a million years find this bug yourself and be able to fix this bug yourself

02:40.8

and secure your own system if you wrote this code by hand.

02:44.2

But because there's millions of people using it,

02:46.7

you get those fixes.

02:48.4

But if, for instance, you've got an email address,

02:52.1

mycut.com,

02:54.3

Example.com, right? That's the one we use in the test case.

02:57.3

But there's a Unicode character, which the Turkish lowercase i without a dot, right?

03:05.0

And that, when it's compared by a database, normally, Postgres, MySQL, well, SQLite doesn't have this issue,

03:12.3

but the normal lowercase i and this Turkish lowercase i without a dot, which are not the same character,

03:19.3

compare the same when you do a quality test in the database to look up the email address so in

03:26.3

principle somebody could register an address a unicode lookalike address for your email address

03:31.6

it'd have to be the same domain so it'd have to be like you know google.com or somewhere where

03:35.9

they could get an email address on the same domain or the main which lowercase the equivalent of

03:40.5

course um and then they could get sent the reset token for your password and then they could reset

03:47.1

your password they could capture your they could capture your account um and this was discovered

03:52.4

as a vulnerability on github and github published a blog post on their security blog telling the

03:59.0

world about it which obviously went to the front page of hacker news and then simon chalet who's

04:04.2

one of the major contributors to django uh was like uh hang on that affects us too and so this

04:11.2

was on them this was on like the monday or the tuesday and we had a release out on the wednesday

04:14.9

afternoon which is as quick as we can do it to be honest because it was it's potentially devastating

04:21.8

and i think also didn't marcus holderman he also did the code or because let's let's talk about

04:27.2

the names right because this like you know these people labor in the dark largely so github released

04:33.0

this thing uh simon chalet saw it or one it was one of the people who saw it and raised the flag

04:38.1

so marcus holderman as you said uh james bennett was yes i know james was up super late involved

04:44.9

uh marius the other jungle fellow was there i was working on it uh who else probably other people

04:54.1

uh yeah were directly involved but those people i definitely remember were on the ticket on the

04:58.8

issue and there was a lot of activity that went on behind the scenes to get it out and normally

05:04.5

normally we pre-announce a security release so normally we hit a week before we'll publicly

05:08.6

announce it and we have a security policy for you know if you need advanced notification

05:13.9

um normally that would be uh if you're like red hat and you're packaging django up for

05:19.0

your package manager you might need these security patches a little bit in advance just so you can

05:23.6

get get that patch in place so people can yum update their their installed django

05:30.7

this time we weren't able to do that because it was so high profile and so

05:35.3

pretend you know it's it's a big issue it's not a minor thing it's a big issue if it's not a minor

05:40.8

of thing so we just we announced it as soon

05:42.8

as we were sure we got the CVE which is

05:44.8

the there's a database of security issues

05:46.5

right yeah

05:48.5

which you need a number for.

05:50.7

So they've got these numbers, CVE 2019,

05:53.9

you know, 1,148 or whatever.

05:56.8

And we released it, you know, on the Wednesday.

06:01.3

Now, how can an average Django user know about this?

06:05.6

So it was tweeted out.

06:07.7

There's like, what's the best way?

06:09.5

And shout out, I launched a Django newsletter

06:11.6

with Jeff Triplett, django-news.com

06:14.6

that will mention things like this.

06:17.4

Because in this case, because I saw, you know, it was very, like the wording said, you know, this is like high priority.

06:23.6

But I'm, where should people look for this, right?

06:26.4

There's the security email feed, right?

06:28.9

What would be the number one place someone should look to, you know, when something like this happens where it's like, oh, you really do need to update now?

06:35.3

Okay, so there's a mailing list called Django Announce, which is a Google group, which you get an email for.

06:40.4

And we send, that's where we'll send the pre-announce saying that the security releases are coming.

06:45.0

So normally on a security release, you get a week's notice.

06:47.4

um for this one you got a day's notice because that was all we had uh then there's the django

06:55.5

blog which you should subscribe to anyway because you get notifications about you know django con

06:59.0

europe or you know the each each released there's a release blog post for each release which tells

07:04.4

you about the release what's in there what's you know what you need to do there's a twitter account

07:10.0

you can follow where else i think that's about it i think those are the the main sources then

07:14.8

django news email yeah well i i'll admit publicly i see that i'm actually not in the django announce

07:20.7

google group so i just signed up i'm in a half a dozen other ones but not that one so it depends

07:26.1

it depends what you like so the blog post comes out like immediately uh yeah i mean and so if

07:31.6

you've got an rs if you've got an rss read that you subscribe to that will appear in your rss

07:35.7

reader if you're on twitter that's automatically tweeted out so but twitter is easy to miss so i

07:41.3

wouldn't use that as a reliable source and then just be on that latest version whichever it is

07:47.4

so if you're on 2.2 be on 2.2.8 or 2.2.9 and then be ready to update to 2.2.10 when it's released

07:54.7

and do that monthly yeah if you're on you know if you're on the latest major release well and i

07:59.3

thought just this was a a great example of the small number of you know people in the dark who

08:05.3

make django happen make it secure you know again james bennett who's been involved with django for

08:09.7

forever the next day he was on a django software foundation uh monthly meeting um which i'm on now

08:16.4

and you know he was quite tired so he's going from one thing to another plus holding down a job and

08:21.5

same for basically everyone else this isn't their job they're not getting paid to do this they do

08:26.2

this because they care and yeah and you know you're the long-term contributors have been there

08:33.3

for ages they they are so knowledgeable it's just mind-blowing like james james was able to point to

08:38.5

the right RFC way, discuss it, or not the RFC, the technical dog.

08:42.8

where it discusses the exact algorithm you have to use to do safe comparison of unicode strings

08:47.9

and you know that knowledge just isn't i don't have it and you know 99 of people don't have

08:56.3

but james has got it and he what he doesn't know well florian will know or simon will know

08:60.0

you know and you know there's a a dozen people perhaps on the security team who really they

09:06.9

really know this stuff yeah yes well so as ever the more i learn about django the more i appreciate

09:14.2

all this work that's done to make it what it is and i actually i just quickly mentioned um

09:18.7

i was elected to the board so there's a django software foundation board so thank you community

09:23.4

um so i'm now one of seven people on that who meet monthly who and i'm the treasurer so deal with

09:30.0

things like paying the fellows sponsors we'll do an episode on that but i'm learning more about

09:35.5

Django and hopefully I'll share that with podcast listeners since I think most podcast listeners

09:39.4

don't know either much of how Django is run we all just take it for granted yeah no I mean it's

09:45.6

just pip install Django that's that's it no all right anything else this this is a short episode

09:52.4

but we wanted to highlight that security release because again in my world all the fire alarms are

09:56.8

going off and I was like oh my god like this is this is something we should highlight to people

10:01.3

because it doesn't just happen without action.

10:04.8

Yeah, no, all I'd say is sponsor the DSF, obviously.

10:11.3

But be on that latest version

10:13.1

and be prepared to update monthly.

10:15.5

It's just a point release.

10:16.6

We shouldn't break anything.

10:18.4

But if it's a security issue

10:19.7

and there's a small breaking change,

10:20.8

there's a small breaking change.

10:21.9

So one previously for the admin in 2.1,

10:24.5

we introduced read-only views.

10:26.7

And in 2.1, you could have a read-only parent

10:29.3

with editable inlines.

10:31.0

but it turned out that that wasn't going to be sustainably secure so we had to pull that out and

10:36.1

now if unless the parent model is editable the whole view will be read only and that's more

10:40.7

secure and you can work around that by implementing custom views but that was a breaking change we

10:45.5

made that with some great discussion we looked at alternatives and we looked at whether those

10:50.1

were sustainable and we're like no but if you're on the latest version it's an easy update and okay

10:54.4

there was a small breaking change if you're needing that you've got a code around it but

10:57.6

you know for security issues you can't you can't quibble yeah and yet another example of your

11:04.6

analogy of the car this is just maintenance if you're up to date it's easier to stay up to date

11:09.0

you have your test suite right and you just run it and you're good to go yeah it's like if you

11:15.2

need new tires you put new tires on because otherwise you crash yes um well thank you

11:21.4

everyone for listening thank you carlton for you and the fellows in the community that does all

11:25.2

this work i appreciate it and that is about it i think okay well thanks for joining us join us next

11:34.0

time bye-bye okay bye-bye