This is a programming note that I will be completely offline for the last days of the Passover holiday. The last days of Passover are on Monday and Tuesday...

In accordance with our security release policy, the Django team is issuing Django 5.0.2, Django 4.2.10, and Django 3.2.24. These releases address the security issue detailed below. We encourage all users of Django to upgrade as soon as possible.

CVE-2024-24680: Potential denial-of-service in intcomma template filter

The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.

Thanks Seokchan Yoon for the report.

This issue has severity "moderate" according to the Django security policy.

Affected supported versions

• Django main branch
• Django 5.0
• Django 4.2
• Django 3.2

Resolution

Patches to resolve the issue have been applied to Django's main branch and the 5.0, 4.2, and 3.2 stable branches. The patches may be obtained from the following changesets:

• On the main branch
• On the 5.0 release branch
• On the 4.2 release branch
• On the 3.2 release branch

The following releases have been issued:

• Django 5.0.2 (download Django 5.0.2 | 5.0.2 checksums)
• Django 4.2.10 (download Django 4.2.10 | 4.2.10 checksums)
• Django 3.2.24 (download Django 3.2.24 | 3.2.24 checksums)

The PGP key ID used for this release is Natalia Bidart: 2EE82A8D9470983E

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance, nor via the Django Forum, nor via the django-developers list. Please see our security policies for further information.

After five years as part of the Django Fellowship program, Mariusz Felisiak has let us know that he will be stepping down as a Django Fellow in March 2024 to explore other things. Mariusz has made an extraordinary impact as a Django Fellow and has been a critical part of the Django community.

The Django Software Foundation and the wider Django community are grateful for his service and assistance.

The Fellowship program was started in 2014 as a way to dedicate high-quality and consistent resources to the maintenance of Django. As Django has matured, the DSF has been able to fundraise and earmark funds for this vital role. As a result, the DSF currently supports two Fellows - Mariusz Felisiak and Natalia Bidart. With the departure of Mariusz, the Django Software Foundation is announcing a call for Django Fellow applications. The new Fellow will work alongside Natalia.

The position of Fellow is focused on maintenance and community support - the work that benefits most from constant, guaranteed attention rather than volunteer-only efforts. In particular, the duties include:

• Answering contributor questions on Forum and the django-developers mailing list
• Helping new Django contributors land patches and learn our philosophy
• Monitoring the security@djangoproject.com email alias and ensuring security issues are acknowledged and responded to promptly
• Fixing release blockers and helping to ensure timely releases
• Fixing severe bugs and helping to backport fixes to these and security issues
• Reviewing and merging pull requests
• Triaging tickets on Trac

Being a Django contributor isn't a prerequisite for this position — we can help get you up to speed. We'll consider applications from anyone with a proven history of working with either the Django community or another similar open-source community. Geographical location isn't important either - we have several methods of remote communication and coordination that we can use depending on the timezone difference to the supervising members of Django.

If you're interested in applying for the position, please email us at fellowship-committee@djangoproject.com describing why you would be a good fit along with details of your relevant experience and community involvement. Also, please include your preferred hourly rate and when you'd like to start working. Lastly, please include at least one recommendation.

Applicants will be evaluated based on the following criteria:

• Details of Django and/or other open-source contributions
• Details of community support in general
• Understanding of the position
• Clarity, formality, and precision of communications
• Strength of recommendation(s)

Applications will be open until 1200 AoE, February 16, 2024, with the expectation that the successful candidate will be notified no later than March 1, 2024.