Week ending 2026-06-07 (Week 23)
This week was quite intense, with most of the focus
on getting the security release out the door
. Issuing the release for the 5 CVEs took a fair amount of coordination and attention to detail, and definitely consumed a good chunk of brain power ![]()
.
Alongside that, there were a number of meetings throughout the week, so overall it was a mix of high-focus release work and keeping in sync with the different groups
. Bonus: the final DEP 0018 for MAILERS was approved, moved to the accepted folder, and merged
.
Triaged
- #37141 (sendtestemail needs a way to specify the MAILERS configuration) – Django - sendtestemail needs a way to specify the MAILERS configuration (accepted)
- #37138 (Outdated docs CSS in local and preview builds) – Django - Outdated docs CSS in local and preview builds (accepted)
- #37137 (Replace raw SQL suggestion in TIME_ZONE docs) – Django - Replace raw SQL suggestion in TIME_ZONE docs (accepted)
Reviewed
- Made PR quality check require tickets for new contributors. by jacobtylerwalls · Pull Request #21302 · django/django · GitHub - Made PR quality check require tickets for new contributors.
- [6.1.x] Updated source translation catalogs. by jacobtylerwalls · Pull Request #21337 · django/django · GitHub - [6.1.x] Updated source translation catalogs.
- [6.0.x] Updated translations from Transifex. by jacobtylerwalls · Pull Request #21404 · django/django · GitHub - [6.0.x] Updated translations from Transifex.
- Refs CVE-2026-6873 -- Defaulted SIGNED_COOKIE_LEGACY_SALT_FALLBACK transitional setting to False. by jacobtylerwalls · Pull Request #21413 · django/django · GitHub - Refs CVE-2026-6873 – Defaulted SIGNED_COOKIE_LEGACY_SALT_FALLBACK transitional setting to False.
Security
- Polished security patches in preparation for security release.
- Issued security release for 5 CVEs
- Prepared and published CVE metadata for publishing CVE records for daphne:
- Prepared and published CVE metadata for publishing CVE records for Django:
- CVE-2026-6873: Signed cookie salt namespace collision in django.http.HttpRequest.get_signed_cookie
- CVE-2026-7666: Potential unencrypted email transmission via STARTTLS in the SMTP backend
- CVE-2026-8404: Potential exposure of private data via case-sensitive Cache-Control directives in UpdateCacheMiddleware
- CVE-2026-35193: Potential exposure of private data via missing Vary: Authorization in UpdateCacheMiddleware
- CVE-2026-48587: Potential exposure of private data via whitespace padding in Vary header
- Triaged new security reports.
Other/Misc
- Monthly Steering Council meeting.
- Biweekly meeting with Fellows and Board Liaison (Jeff Triplett).
- Biweekly meeting with Fellows and Line Manager (Andrew Godwin).
- Weekly Fellows meeting.