Debian Bug report logs - #539134
Insufficient input validation in "runserver" development server

version graph

Package: python-django; Maintainer for python-django is Debian Python Team <team+python@tracker.debian.org>;

Reported by: Chris Lamb <lamby@debian.org>

Date: Wed, 29 Jul 2009 10:30:06 UTC

Severity: important

Tags: security

Found in version python-django/1.0.2-1

Fixed in versions python-django/1.0.2-1+lenny1, python-django/1.1-1

Done: Chris Lamb <lamby@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Brett Parker <iDunno@sommitrealweird.co.uk>:
Bug#539134; Package python-django. (Wed, 29 Jul 2009 10:30:08 GMT) (full text, mbox, link).

Acknowledgement sent to Chris Lamb <lamby@debian.org>:
New Bug report received and forwarded. Copy sent to Brett Parker <iDunno@sommitrealweird.co.uk>. (Wed, 29 Jul 2009 10:30:08 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>
To: submit@bugs.debian.org
Subject: Insufficient input validation in "runserver" development server
Date: Wed, 29 Jul 2009 12:13:41 +0200
[Message part 1 (text/plain, inline)]
Package: python-django
Version: 1.0.2-1
Severity: serious
Tags: security

> Django includes a lightweight, WSGI-based web server for use in
> learning Django and in testing new applications during early stages of
> development. For sake of convenience, this web server automatically
> maps certain URLs corresponding to the static media files used by the
> Django administrative application.
> 
> The handler which maps these URLs did not properly check the requested
> URL to verify that it corresponds to a static media file used by
> Django. As such, a carefully-crafted URL can cause the development
> server to serve any file to which it has read access.
> 
> By default, the development server does not listen on interfaces other
> than the local IPv4 loopback, and Django's documentation has and will
> continue to have stern warnings against the use of the development
> server in other situations (e.g., listening on a publicy- or
> network-accessible interface), and stating that the development server
> is not considered secure or performant enough for such use.

         <http://www.djangoproject.com/weblog/2009/jul/28/security/>

Does not affect unstable (once 1.1-1 lands).


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org
       `-

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Brett Parker <iDunno@sommitrealweird.co.uk>:
Bug#539134; Package python-django. (Wed, 29 Jul 2009 12:09:05 GMT) (full text, mbox, link).

Acknowledgement sent to Chris Lamb <lamby@debian.org>:
Extra info received and forwarded to list. Copy sent to Brett Parker <iDunno@sommitrealweird.co.uk>. (Wed, 29 Jul 2009 12:09:05 GMT) (full text, mbox, link).

Message #10 received at 539134@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>
To: 539134@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#539134: Insufficient input validation in "runserver" development server
Date: Wed, 29 Jul 2009 14:05:35 +0200
[Message part 1 (text/plain, inline)]
Chris Lamb wrote:

> Does not affect unstable (once 1.1-1 lands).

Packages for stable-security are available at:

  http://people.debian.org/~lamby/539134/

I can't find any CVE numbers, but am not used to looking.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org
       `-

[signature.asc (application/pgp-signature, attachment)]

Added tag(s) pending. Request was from lamby@users.alioth.debian.org to control@bugs.debian.org. (Wed, 29 Jul 2009 12:09:06 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Brett Parker <iDunno@sommitrealweird.co.uk>:
Bug#539134; Package python-django. (Thu, 30 Jul 2009 15:18:05 GMT) (full text, mbox, link).

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Brett Parker <iDunno@sommitrealweird.co.uk>. (Thu, 30 Jul 2009 15:18:05 GMT) (full text, mbox, link).

Message #17 received at 539134@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: Chris Lamb <lamby@debian.org>
Cc: 539134@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#539134: Insufficient input validation in "runserver" development server
Date: Thu, 30 Jul 2009 17:12:30 +0200
[Message part 1 (text/plain, inline)]
Hi,
* Chris Lamb <lamby@debian.org> [2009-07-29 14:26]:
> Chris Lamb wrote:
> 
> > Does not affect unstable (once 1.1-1 lands).
> 
> Packages for stable-security are available at:
> 
>   http://people.debian.org/~lamby/539134/
> 
> I can't find any CVE numbers, but am not used to looking.

Thanks for pinging me on debconf to answer that :)

As the webserver is bound to localhost in the default and 
the user explicitly has to bind it to another hostname + it 
isn't used in production environments I suggest going 
through stable-proposed-updates with that.
Is that ok for you?

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Brett Parker <iDunno@sommitrealweird.co.uk>:
Bug#539134; Package python-django. (Thu, 30 Jul 2009 15:36:02 GMT) (full text, mbox, link).

Acknowledgement sent to Chris Lamb <lamby@debian.org>:
Extra info received and forwarded to list. Copy sent to Brett Parker <iDunno@sommitrealweird.co.uk>. (Thu, 30 Jul 2009 15:36:02 GMT) (full text, mbox, link).

Message #22 received at 539134@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>
To: Nico Golde <nion@debian.org>, 539134@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#539134: Insufficient input validation in "runserver" development server
Date: Thu, 30 Jul 2009 17:34:06 +0200
[Message part 1 (text/plain, inline)]
tags 539134 -security
thanks

Nico Golde wrote:

> I suggest going through stable-proposed-updates with that. Is that ok
> for you?

Works for me. Dropping security tag.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org
       `-

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Brett Parker <iDunno@sommitrealweird.co.uk>:
Bug#539134; Package python-django. (Thu, 30 Jul 2009 15:39:03 GMT) (full text, mbox, link).

Acknowledgement sent to Chris Lamb <lamby@debian.org>:
Extra info received and forwarded to list. Copy sent to Brett Parker <iDunno@sommitrealweird.co.uk>. (Thu, 30 Jul 2009 15:39:03 GMT) (full text, mbox, link).

Message #27 received at 539134@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>
To: 539134@bugs.debian.org, control@bugs.debian.org
Subject: Re: Bug#539134: Insufficient input validation in "runserver" development server
Date: Thu, 30 Jul 2009 17:38:05 +0200
[Message part 1 (text/plain, inline)]
severity 539134 important
thanks

Chris Lamb wrote:

> > I suggest going through stable-proposed-updates with that. Is that ok
> > for you?
> 
> Works for me. Dropping security tag.

.. also dropping severity so it gets actually gets into testing.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org
       `-

[signature.asc (application/pgp-signature, attachment)]

Severity set to 'important' from 'serious' Request was from Chris Lamb <lamby@debian.org> to control@bugs.debian.org. (Thu, 30 Jul 2009 15:39:05 GMT) (full text, mbox, link).

Removed tag(s) security. Request was from Chris Lamb <lamby@debian.org> to control@bugs.debian.org. (Thu, 30 Jul 2009 15:42:07 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Brett Parker <iDunno@sommitrealweird.co.uk>:
Bug#539134; Package python-django. (Thu, 30 Jul 2009 16:00:03 GMT) (full text, mbox, link).

Acknowledgement sent to Chris Lamb <lamby@debian.org>:
Extra info received and forwarded to list. Copy sent to Brett Parker <iDunno@sommitrealweird.co.uk>. (Thu, 30 Jul 2009 16:00:03 GMT) (full text, mbox, link).

Message #36 received at 539134@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>
To: 539134@bugs.debian.org
Subject: [SRM] python-django 1.0.2-1+lenny1 for stable?
Date: Thu, 30 Jul 2009 17:58:57 +0200
[Message part 1 (text/plain, inline)]
Hi -release,

There is a minor security problem with python-django in stable; Nion
recommended the fix went this way instead of stable-security as it does
not affect typical installations. The patch is upstream-blessed.

The revelant changelog entry is:

 python-django (1.0.2-1+lenny1) stable-proposed-updates; urgency=low

   * Add patch to fix issue with a maliciously crafted URL gaining
     access to  any file on the filesystem (Closes: #539134)

     Upstream writes:

       Django includes a lightweight, WSGI-based web server for use in
       learning Django and in testing new applications during early
       stages of development. For sake of convenience, this web server
       automatically maps certain URLs corresponding to the static media
       files used by the Django administrative application.

       The handler which maps these URLs did not properly check the
       requested URL to verify that it corresponds to a static media
       file used by Django. As such, a carefully-crafted URL can cause
       the development server to serve any file to which it has read
       access.

              <http://www.djangoproject.com/weblog/2009/jul/28/security/>

Signed dsc etc. are available at:

  http://people.debian.org/~lamby/539134/stable-proposed-updates/


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org
       `-

[signature.asc (application/pgp-signature, attachment)]

Added tag(s) security. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Thu, 30 Jul 2009 16:48:12 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Brett Parker <iDunno@sommitrealweird.co.uk>:
Bug#539134; Package python-django. (Thu, 30 Jul 2009 17:36:10 GMT) (full text, mbox, link).

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Brett Parker <iDunno@sommitrealweird.co.uk>. (Thu, 30 Jul 2009 17:36:10 GMT) (full text, mbox, link).

Message #43 received at 539134@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: "Chris Lamb" <lamby@debian.org>
Cc: 539134@bugs.debian.org, debian-release@lists.debian.org
Subject: Re: [SRM] python-django 1.0.2-1+lenny1 for stable?
Date: Thu, 30 Jul 2009 18:32:26 +0100
On Thu, July 30, 2009 16:58, Chris Lamb wrote:
> There is a minor security problem with python-django in stable; Nion
> recommended the fix went this way instead of stable-security as it does
> not affect typical installations. The patch is upstream-blessed.
>
> The revelant changelog entry is:
>
>  python-django (1.0.2-1+lenny1) stable-proposed-updates; urgency=low
>
>    * Add patch to fix issue with a maliciously crafted URL gaining
>      access to  any file on the filesystem (Closes: #539134)

Please go ahead.

Regards,

Adam

Information forwarded to debian-bugs-dist@lists.debian.org, Brett Parker <iDunno@sommitrealweird.co.uk>:
Bug#539134; Package python-django. (Thu, 30 Jul 2009 18:06:03 GMT) (full text, mbox, link).

Acknowledgement sent to Chris Lamb <lamby@debian.org>:
Extra info received and forwarded to list. Copy sent to Brett Parker <iDunno@sommitrealweird.co.uk>. (Thu, 30 Jul 2009 18:06:03 GMT) (full text, mbox, link).

Message #48 received at 539134@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>
To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: 539134@bugs.debian.org, debian-release@lists.debian.org
Subject: Re: [SRM] python-django 1.0.2-1+lenny1 for stable?
Date: Thu, 30 Jul 2009 20:04:39 +0200
[Message part 1 (text/plain, inline)]
Adam D. Barratt wrote:

> >  python-django (1.0.2-1+lenny1) stable-proposed-updates; urgency=low
> >
> >    * Add patch to fix issue with a maliciously crafted URL gaining
> >      access to  any file on the filesystem (Closes: #539134)  
> 
> Please go ahead.

Uploaded; thanks :)


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org
       `-

[signature.asc (application/pgp-signature, attachment)]

Reply sent to Chris Lamb <lamby@debian.org>:
You have taken responsibility. (Sat, 01 Aug 2009 02:15:06 GMT) (full text, mbox, link).

Notification sent to Chris Lamb <lamby@debian.org>:
Bug acknowledged by developer. (Sat, 01 Aug 2009 02:15:07 GMT) (full text, mbox, link).

Message #53 received at 539134-close@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>
To: 539134-close@bugs.debian.org
Subject: Bug#539134: fixed in python-django 1.0.2-1+lenny1
Date: Sat, 01 Aug 2009 01:57:49 +0000
Source: python-django
Source-Version: 1.0.2-1+lenny1

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive:

python-django_1.0.2-1+lenny1.diff.gz
  to pool/main/p/python-django/python-django_1.0.2-1+lenny1.diff.gz
python-django_1.0.2-1+lenny1.dsc
  to pool/main/p/python-django/python-django_1.0.2-1+lenny1.dsc
python-django_1.0.2-1+lenny1_all.deb
  to pool/main/p/python-django/python-django_1.0.2-1+lenny1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 539134@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 30 Jul 2009 17:43:56 +0200
Source: python-django
Binary: python-django
Architecture: source all
Version: 1.0.2-1+lenny1
Distribution: stable-proposed-updates
Urgency: low
Maintainer: Brett Parker <iDunno@sommitrealweird.co.uk>
Changed-By: Chris Lamb <lamby@debian.org>
Description: 
 python-django - A high-level Python Web framework
Closes: 539134
Changes: 
 python-django (1.0.2-1+lenny1) stable-proposed-updates; urgency=low
 .
   * Add patch to fix issue with a maliciously crafted URL gaining access to
     any file on the filesystem (Closes: #539134)
 .
     Upstream writes:
 .
       Django includes a lightweight, WSGI-based web server for use in
       learning Django and in testing new applications during early stages of
       development. For sake of convenience, this web server automatically
       maps certain URLs corresponding to the static media files used by the
       Django administrative application.
 .
       The handler which maps these URLs did not properly check the requested
       URL to verify that it corresponds to a static media file used by
       Django. As such, a carefully-crafted URL can cause the development
       server to serve any file to which it has read access.
 .
              <http://www.djangoproject.com/weblog/2009/jul/28/security/>
Checksums-Sha1: 
 853a69b3a6c5b7e6d8113300ca5daa9ae93b0602 1606 python-django_1.0.2-1+lenny1.dsc
 f2d9088f17aff47ea17e5767740cab67b2a73b6b 4649433 python-django_1.0.2.orig.tar.gz
 8c5ce9095b8e68e5e06a734f0ab8c3b57de7cb63 15074 python-django_1.0.2-1+lenny1.diff.gz
 55bc9af48b7b17495881ac0d8e75e43d3fcf0be1 4704274 python-django_1.0.2-1+lenny1_all.deb
Checksums-Sha256: 
 eaea5115fc5e43e487e8e30785084d7707ba5a0c82b881b5c0439de1beb5397f 1606 python-django_1.0.2-1+lenny1.dsc
 50a5d228743a69a682899b20141194bf8fd3fd75eaf33ba5f2932f43ea93ea0d 4649433 python-django_1.0.2.orig.tar.gz
 cfcdbb5e48ae07a36d82028f6f4a14278c9749c638db486c75c4ed58a17966e0 15074 python-django_1.0.2-1+lenny1.diff.gz
 bd41ecacec4653f999e9e6f7ced2ec49b5eeb171ff39c02c30bd124063ac0832 4704274 python-django_1.0.2-1+lenny1_all.deb
Files: 
 68232b6343d631cd5cf7776d7e574f09 1606 python optional python-django_1.0.2-1+lenny1.dsc
 89353e3749668778f1370d2e444f3adc 4649433 python optional python-django_1.0.2.orig.tar.gz
 9e54cef320ce7d274f691ad8d11084b2 15074 python optional python-django_1.0.2-1+lenny1.diff.gz
 a069a680667fe04419621312634d25ec 4704274 python optional python-django_1.0.2-1+lenny1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkpxwpMACgkQ5/8uW2NPmiB9kwCePmfFkods2yLOl7jRuh0+na0F
ifMAnib70VvOsz7WD9zH+REm5DDwqAW0
=ZwWR
-----END PGP SIGNATURE-----

Reply sent to Chris Lamb <lamby@debian.org>:
You have taken responsibility. (Fri, 04 Sep 2009 19:24:27 GMT) (full text, mbox, link).

Notification sent to Chris Lamb <lamby@debian.org>:
Bug acknowledged by developer. (Fri, 04 Sep 2009 19:24:28 GMT) (full text, mbox, link).

Message #58 received at 539134-close@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>
To: 539134-close@bugs.debian.org
Subject: Bug#539134: fixed in python-django 1.0.2-1+lenny1
Date: Fri, 04 Sep 2009 18:32:44 +0000
Source: python-django
Source-Version: 1.0.2-1+lenny1

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive:

python-django_1.0.2-1+lenny1.diff.gz
  to pool/main/p/python-django/python-django_1.0.2-1+lenny1.diff.gz
python-django_1.0.2-1+lenny1.dsc
  to pool/main/p/python-django/python-django_1.0.2-1+lenny1.dsc
python-django_1.0.2-1+lenny1_all.deb
  to pool/main/p/python-django/python-django_1.0.2-1+lenny1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 539134@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 30 Jul 2009 17:43:56 +0200
Source: python-django
Binary: python-django
Architecture: source all
Version: 1.0.2-1+lenny1
Distribution: stable-proposed-updates
Urgency: low
Maintainer: Brett Parker <iDunno@sommitrealweird.co.uk>
Changed-By: Chris Lamb <lamby@debian.org>
Description: 
 python-django - A high-level Python Web framework
Closes: 539134
Changes: 
 python-django (1.0.2-1+lenny1) stable-proposed-updates; urgency=low
 .
   * Add patch to fix issue with a maliciously crafted URL gaining access to
     any file on the filesystem (Closes: #539134)
 .
     Upstream writes:
 .
       Django includes a lightweight, WSGI-based web server for use in
       learning Django and in testing new applications during early stages of
       development. For sake of convenience, this web server automatically
       maps certain URLs corresponding to the static media files used by the
       Django administrative application.
 .
       The handler which maps these URLs did not properly check the requested
       URL to verify that it corresponds to a static media file used by
       Django. As such, a carefully-crafted URL can cause the development
       server to serve any file to which it has read access.
 .
              <http://www.djangoproject.com/weblog/2009/jul/28/security/>
Checksums-Sha1: 
 853a69b3a6c5b7e6d8113300ca5daa9ae93b0602 1606 python-django_1.0.2-1+lenny1.dsc
 f2d9088f17aff47ea17e5767740cab67b2a73b6b 4649433 python-django_1.0.2.orig.tar.gz
 8c5ce9095b8e68e5e06a734f0ab8c3b57de7cb63 15074 python-django_1.0.2-1+lenny1.diff.gz
 55bc9af48b7b17495881ac0d8e75e43d3fcf0be1 4704274 python-django_1.0.2-1+lenny1_all.deb
Checksums-Sha256: 
 eaea5115fc5e43e487e8e30785084d7707ba5a0c82b881b5c0439de1beb5397f 1606 python-django_1.0.2-1+lenny1.dsc
 50a5d228743a69a682899b20141194bf8fd3fd75eaf33ba5f2932f43ea93ea0d 4649433 python-django_1.0.2.orig.tar.gz
 cfcdbb5e48ae07a36d82028f6f4a14278c9749c638db486c75c4ed58a17966e0 15074 python-django_1.0.2-1+lenny1.diff.gz
 bd41ecacec4653f999e9e6f7ced2ec49b5eeb171ff39c02c30bd124063ac0832 4704274 python-django_1.0.2-1+lenny1_all.deb
Files: 
 68232b6343d631cd5cf7776d7e574f09 1606 python optional python-django_1.0.2-1+lenny1.dsc
 89353e3749668778f1370d2e444f3adc 4649433 python optional python-django_1.0.2.orig.tar.gz
 9e54cef320ce7d274f691ad8d11084b2 15074 python optional python-django_1.0.2-1+lenny1.diff.gz
 a069a680667fe04419621312634d25ec 4704274 python optional python-django_1.0.2-1+lenny1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkpxwpMACgkQ5/8uW2NPmiB9kwCePmfFkods2yLOl7jRuh0+na0F
ifMAnib70VvOsz7WD9zH+REm5DDwqAW0
=ZwWR
-----END PGP SIGNATURE-----

Marked as fixed in versions python-django/1.1-1. Request was from Andreas Beckmann <anbe@debian.org> to control@bugs.debian.org. (Mon, 04 Nov 2013 12:03:29 GMT) (full text, mbox, link).

Bug archived. Request was from Luke Faraone <lfaraone@debian.org> to control@bugs.debian.org. (Wed, 06 Nov 2013 15:42:07 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Jan 23 19:37:01 2026; Machine Name: berlioz

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.