Django: Security Patch Release and Translation Updates
Django addressed five CVE vulnerabilities affecting caching, SMTP, and signed cookies while updating translations across multiple language catalogs. The project also strengthened contribution quality controls and resolved several admin interface issues.
Duration: PT2M20S
Transcript
Good morning, it's June 3rd, 2026. Django has just completed a significant security release cycle, patching five CVE vulnerabilities while maintaining active development across internationalization and admin improvements.
The headline story is a coordinated security response addressing critical vulnerabilities in core Django components. Five CVEs were resolved, including issues with cache authorization headers, SMTP connection handling, and signed cookie salt namespace collisions. The fixes span Django's caching middleware, email backend, and cookie signing mechanisms. Commit a2faa8e addressed cache authorization issues, while 70d3651 introduced a new signed cookie legacy salt fallback setting to prevent namespace collisions. These patches are already integrated into the 6.0.7 release notes.
Translation infrastructure saw substantial activity with updates from Transifex merged across multiple branches. Pull request 21404 updated the 6.0.x branch translations under the current policy of reverting plural form changes, while PR 21337 updated source translation catalogs for 6.1.x. The team is preparing to shift translation policies for the 6.1 release cycle.
The admin interface received focused attention with two key improvements. PR 21406 updated the vendored Select2 library from version 4.0.13 to 4.1.0, adding missing language translations and modernizing the widget foundation. Separately, PR 21411 fixed a bug where disabled JSON fields incorrectly reported changes through their has-changed method.
Project maintenance was strengthened with new contributor quality controls. PR 21302 now requires Trac tickets for all new contributor submissions, closing a loophole where small pull requests could bypass review requirements by mixing unrelated changes.
Looking ahead, the security patches will likely propagate through Django's supported version branches, and the translation policy changes signal preparation for the 6.1 feature development cycle.
That's your Django development briefing for June 3rd.