Discover Government News

Arch Linux Security Advisory ASA-201512-3
========================================
Severity: Medium
Date    : 2015-12-05
CVE-ID  : CVE-2015-8213
Package : python-django, python2-django
Type    : information leakage
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The packages python-django and python2-django before version 1.8.7-1 are
vulnerable to information leakage.

Resolution
=========
Upgrade to 1.8.7-1.

# pacman -Syu "python-django>=1.8.7-1"
# pacman -Syu "python2-django>=1.8.7-1"

The problem has been fixed upstream in version 1.8.7 and 1.7.11.

Workaround
=========
None.

Description
==========
If an application allows users to specify an unvalidated format for
dates and passes this format to the date filter, e.g. {{
last_updated|date:user_date_format }}, then a malicious user could
obtain any secret in the application's settings by specifying a settings
key instead of a date format. e.g. "SECRET_KEY" instead of "j/m/Y".

To remedy this, the underlying function used by the date template
filter, django.utils.formats.get_format(), now only allows accessing the
date/time formatting settings.

Impact
=====
A remote attacker might be able to access sensitive information from a
vulnerable application.

References
=========
https://access.redhat.com/security/cve/CVE-2015-8213
https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/

ArchLinux: 201512-3: python-django, python2-django: information leakage

December 5, 2015

Summary

If an application allows users to specify an unvalidated format for dates and passes this format to the date filter, e.g. {{ last_updated|date:user_date_format }}, then a malicious user could obtain any secret in the application's settings by specifying a settings key instead of a date format. e.g. "SECRET_KEY" instead of "j/m/Y". To remedy this, the underlying function used by the date template filter, django.utils.formats.get_format(), now only allows accessing the date/time formatting settings.

Resolution

Upgrade to 1.8.7-1. # pacman -Syu "python-django>=1.8.7-1" # pacman -Syu "python2-django>=1.8.7-1"
The problem has been fixed upstream in version 1.8.7 and 1.7.11.

References

https://access.redhat.com/security/cve/CVE-2015-8213 https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/

Severity
Package : python-django, python2-django
Type : information leakage
Remote : Yes
Link : https://wiki.archlinux.org/title/CVE

Workaround

None.

Related News