Arch Linux Security Advisory ASA-201512-3 ========================================= Severity: Medium Date : 2015-12-05 CVE-ID : CVE-2015-8213 Package : python-django, python2-django Type : information leakage Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The packages python-django and python2-django before version 1.8.7-1 are vulnerable to information leakage. Resolution ========== Upgrade to 1.8.7-1. # pacman -Syu "python-django>=1.8.7-1" # pacman -Syu "python2-django>=1.8.7-1" The problem has been fixed upstream in version 1.8.7 and 1.7.11. Workaround ========== None. Description =========== If an application allows users to specify an unvalidated format for dates and passes this format to the date filter, e.g. {{ last_updated|date:user_date_format }}, then a malicious user could obtain any secret in the application's settings by specifying a settings key instead of a date format. e.g. "SECRET_KEY" instead of "j/m/Y". To remedy this, the underlying function used by the date template filter, django.utils.formats.get_format(), now only allows accessing the date/time formatting settings. Impact ====== A remote attacker might be able to access sensitive information from a vulnerable application. References ========== https://access.redhat.com/security/cve/CVE-2015-8213 https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/