[arch-security] [ASA-201512-3] python-django, python2-django: information leakage
Remi Gacogne
rgacogne at archlinux.org
Sat Dec 5 13:32:15 UTC 2015
Arch Linux Security Advisory ASA-201512-3
=========================================
Severity: Medium
Date : 2015-12-05
CVE-ID : CVE-2015-8213
Package : python-django, python2-django
Type : information leakage
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
Summary
=======
The packages python-django and python2-django before version 1.8.7-1 are
vulnerable to information leakage.
Resolution
==========
Upgrade to 1.8.7-1.
# pacman -Syu "python-django>=1.8.7-1"
# pacman -Syu "python2-django>=1.8.7-1"
The problem has been fixed upstream in version 1.8.7 and 1.7.11.
Workaround
==========
None.
Description
===========
If an application allows users to specify an unvalidated format for
dates and passes this format to the date filter, e.g. {{
last_updated|date:user_date_format }}, then a malicious user could
obtain any secret in the application's settings by specifying a settings
key instead of a date format. e.g. "SECRET_KEY" instead of "j/m/Y".
To remedy this, the underlying function used by the date template
filter, django.utils.formats.get_format(), now only allows accessing the
date/time formatting settings.
Impact
======
A remote attacker might be able to access sensitive information from a
vulnerable application.
References
==========
https://access.redhat.com/security/cve/CVE-2015-8213
https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20151205/8b5e85de/attachment.asc>
More information about the arch-security
mailing list