Arch Linux ASA-201512-3 Medium Severity: Python-Django Information Leak

Arch Linux Security Advisory ASA-201512-3
========================================
Severity: Medium
Date    : 2015-12-05
CVE-ID  : CVE-2015-8213
Package : python-django, python2-django
Type    : information leakage
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The packages python-django and python2-django before version 1.8.7-1 are
vulnerable to information leakage.

Resolution
=========
Upgrade to 1.8.7-1.

# pacman -Syu "python-django>=1.8.7-1"
# pacman -Syu "python2-django>=1.8.7-1"

The problem has been fixed upstream in version 1.8.7 and 1.7.11.

Workaround
=========
None.

Description
==========
If an application allows users to specify an unvalidated format for
dates and passes this format to the date filter, e.g. {{
last_updated|date:user_date_format }}, then a malicious user could
obtain any secret in the application's settings by specifying a settings
key instead of a date format. e.g. "SECRET_KEY" instead of "j/m/Y".

To remedy this, the underlying function used by the date template
filter, django.utils.formats.get_format(), now only allows accessing the
date/time formatting settings.

Impact
=====
A remote attacker might be able to access sensitive information from a
vulnerable application.

References
=========
https://access.redhat.com/security/cve/CVE-2015-8213
https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/