[arch-security] [ASA-201512-3] python-django, python2-django: information leakage

Remi Gacogne rgacogne at archlinux.org
Sat Dec 5 13:32:15 UTC 2015

Arch Linux Security Advisory ASA-201512-3

Severity: Medium
Date    : 2015-12-05
CVE-ID  : CVE-2015-8213
Package : python-django, python2-django
Type    : information leakage
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE


The packages python-django and python2-django before version 1.8.7-1 are
vulnerable to information leakage.


Upgrade to 1.8.7-1.

# pacman -Syu "python-django>=1.8.7-1"
# pacman -Syu "python2-django>=1.8.7-1"

The problem has been fixed upstream in version 1.8.7 and 1.7.11.




If an application allows users to specify an unvalidated format for
dates and passes this format to the date filter, e.g. {{
last_updated|date:user_date_format }}, then a malicious user could
obtain any secret in the application's settings by specifying a settings
key instead of a date format. e.g. "SECRET_KEY" instead of "j/m/Y".

To remedy this, the underlying function used by the date template
filter, django.utils.formats.get_format(), now only allows accessing the
date/time formatting settings.


A remote attacker might be able to access sensitive information from a
vulnerable application.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20151205/8b5e85de/attachment.asc>

More information about the arch-security mailing list