ArchLinux: 201512-3: python-django, python2-django: information leakage
Summary
If an application allows users to specify an unvalidated format for
dates and passes this format to the date filter, e.g. {{
last_updated|date:user_date_format }}, then a malicious user could
obtain any secret in the application's settings by specifying a settings
key instead of a date format. e.g. "SECRET_KEY" instead of "j/m/Y".
To remedy this, the underlying function used by the date template
filter, django.utils.formats.get_format(), now only allows accessing the
date/time formatting settings.
Resolution
Upgrade to 1.8.7-1.
# pacman -Syu "python-django>=1.8.7-1"
# pacman -Syu "python2-django>=1.8.7-1"
The problem has been fixed upstream in version 1.8.7 and 1.7.11.
References
https://access.redhat.com/security/cve/CVE-2015-8213 https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/
Workaround
None.