Django Weblog: Unauthenticated Remote Code Execution on djangoci.com

Yesterday the Django Security and Operations teams were made aware of a remote code execution vulnerability in the Django Software Foundation’s Jenkins infrastructure, used to run tests on the Django code base for GitHub pull requests and release branches. In this blog post, the teams want to outline the course of events.

Impact

The Django Security and Operations teams want to assure that at no point was there any risk about issuing or uploading malicious releases of Django to PyPI or the Django Project website. Official Django releases have always been issued manually by releasers. Neither was there any risk to any user data related to the Django Project website or the Django bug tracker.

Timeline

On May 14th, 2019 at 07:48 UTC the Django Security team was made aware by Ai Ho through its HackerOne project that the Django’s Continuous Integration service was susceptible to a remote code execution vulnerability, allowing unauthenticated users to execute arbitrary code.

At 08:01 UTC, the Django Security team acknowledged the report and took immediate steps to mitigate the issue by shutting down the primary Jenkins server. The Jenkins master server was shut down by 08:10 UTC.

At 08:45 UTC, the Operations team started provisioning a new server. In cases of a compromised server, it is almost always impractical to clean it up. Starting with a fresh, clean installation is a considerably better and safer approach.

At 14:59 UTC, the new Jenkins master server was up and running again, with some configuration left to do to get Jenkins jobs working again. About 10 minutes later, at 15:09 UTC, that was the case.

At 15:44 UTC, Jenkins started running tests against GitHub pull requests again.

At 16:00 UTC, the Operations team discussed the necessity of revoking various Let’s Encrypt certificates or keys. However, since there was no indication that either the account or the certificate’s private key was exposed, it was deemed sufficient to rely on the auto-expiration of the Let’s Encrypt certificate. However, a new private key for the djangoci.com certificate was generated during the bootstrapping of the new Jenkins master server.

At 16:50 UTC, the Jenkins Windows nodes were working again and started to process jobs.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com or HackerOne, and not via Django’s Trac instance or the django-developers list. Please see our security policies for further information.

Planet Python

Gocept Weblog: Celebration: Zope 4 final release

TL;DR: Zope 4 beta phase ended, final version released!

After hard, long years of preparation Earl Zope now finally made it to get a permanent license for the Python 3 wonderland: In September 2016 almost 20 people started with the reanimation of Zope at the Zope Resurrection sprint. This marked the beginning of a wonderful journey for Earl Zope himself for the people who helped him. In August 2017 Earl Zope became aware that his Python 2 country will irreversibly be destroyed by 2020. Earl Zope was successfully applying for for a beta permission for the Python 3 wonderland in September 2017. This beta permission has been extended 9 times to give Earl Zope time to become a good citizen in his new home country.

Earl Zope says a big thank you to all who:

  • contributed to the Python 3 migration even before the resurrection sprint
  • wrote bug reports
  • fixed bugs
  • contributed time and/or money for the migration process
  • encouraged the developers
  • tested beta versions or even used them in production

To be welcome in the Python 3 wonderland many nuts had to be cracked:

  • porting of the code of Zope and its dependencies to Python 3
  • rewrite of RestrictedPython from scratch
  • develop a migration strategy for the ZODB contents aka Data.fs
  • polish the user interface of the Zope management interface (ZMI)
  • and many more…

Earl Zope is looking forward to a happy future in the Python 3 wonderland. Currently he did not yet give up his settling in the Python 2 land. This is planned to happen shortly before or after the Python 2 sunset in the beginning of 2020 when the son of Earl Zope IV becomes the new Earl Zope V. See the roadmap for details.

Planet Python

Gocept Weblog: Zope Spring Cleaning: Last minute information

As the beta permission of Earl Zope in Python 3 wonderland was extended in October 2018, gocept invites Zope developers to the upcoming sprint from 08.05. till 10.05.2019 in Halle (Saale), Germany, to continue together on the work, which is still left.

We aim to polish the last dusty spots on Earl Zope for the final permission to Python 3 wonderland aka the final 4.0 release. As Plone and other applications based on Zope have finally found a way to migrate a ZODB Data.fs created with Python 2 to Python 3, the obstacles for this final permit are almost gone.

So if you have questions concerning migrating databases, it is a good time to join or open an issue on GitHub. As many people are working on Zope during these days, the probability of a quick answer is high.

As organizational tool to coordinate the work, we use GitHub projects again, as it allows cross-repository tracking of issues.

Our current schedule:

  • Wednesday
    • 8:15 Breakfast at gocept kitchen
    • 9:00 Welcome at gocept office and start sprinting afterwards
    • 12:30 Lunch
    • 13:30 Happy sprinting
    • between 15:00 and 16:00 coffee break
    • 18:00 Lights out
    • Going to a local pub
  • Thursday:
    • 8:15 Breakfast
    • 9:00 Standup
    • 12:30 Lunch
    • 13:30 Happy sprinting
    • between 15:00 and 16:00 coffee break
    • 17:00 A game of boules if the weather permits it
    • Going to a local pub
  • Friday:
    • 8:15 Breakfast
    • 9:00 Standup
    • 12:30 Lunch
    • 13:30 Happy sprinting
    • 15:00 Closing meeting
    • 16:00 Lights out

Parking: As Saltlabs in located in a pedestrian zone, the availability of parking spots is rather low. Please use one of the parking decks nearby.

One last hint: The location of the sprint is Leipziger Str. 70, Halle (Saale), Germany.

Planet Python

Django Weblog: Paid Internship Opportunity: Build an App for the DSF

Do you want to get paid to contribute to Django, while learning more about the framework and language? Great: I’m looking for an intern to implement a new feature here on djangoproject.com. You’ll do the work, you’ll get paid, and I’ll be there to support you.

The feature in question is the DSF membership app — a tool to gather nominations, comment and vote on applicants, and track membership. You can read more about the app in the call for proposals. With my guidance, you’ll implement the feature yourself, learning about Django and the djangoproject.com site as you go. When you’re done, you’ll have helped streamline the DSF’s operations and leveled up technically.

To apply: fill out this form. Applications close May 10th at 4pm ET.

For more details, read on.

In this role, you will:

  • Learn how the djangoproject.com app works and familiarize yourself with the code.
  • Implement this new feature yourself, using Python/Django. I’ll provide guidance, review your pull requests, and implement small pieces myself if you get stuck and want help.
  • Work with me and the DSF Board to test, gather feedback, and iterate on the feature.
  • Meet with me weekly (or more frequently, if you like) to discuss the project, talk through feedback, ask questions, etc.

This is a role intended for someone fairly new to Django development. It’s suitable for most beginners with a bit of Django experience.

Required qualifications:

  • You should already know Python at an “advanced beginner” level — e.g. have worked through a tutorial or book on the language, and successfully written some code before.
  • You should have written at least one Django site before (a small one is fine), or participated as part of a larger team developing one. If you have equivalent experience in a similar Python web framework (e.g. Flask), that’s OK too.

Priority will be given to applicants who have not contributed code to Django or a major third-party app before, and want to get involved in a more meaningful way.

This position is remote and is open to anyone anywhere in the world. (Though, you must be able to legally accept money from the United States to be paid.)

Timeline: We’ve budgeted for 4 weeks of work, at roughly 20-30 hours per week, with an extra 2 weeks if needed to incorporate feedback from the DSF. A longer timeline is fine if you need to fit a different schedule.

Payment: $ 5,000, with an additional $ 1,500 if the extra work is needed. This may be flexible: if you need more money to make this viable for you, please note that fact in the application. All the money will go to you; I’m volunteering my time.

To apply: fill out this form. Applications close May 10th at 4pm ET.

Qualified applicants should expect to complete a short coding exercise in Python (less than an hour), and to have an hour-long interview with me (questions will be provided ahead of time).

All applicants should expect to hear back by May 31st.

Planet Python