Debian Long Term Support / LTS Security Information / 2015 / Security Information -- DLA-349-1 python-django

Debian Security Advisory

DLA-349-1 python-django -- LTS security update

Date Reported:

25 Nov 2015

Affected Packages:

python-django

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2015-8213.

More information:

It was discovered that there was a potential settings leak in date template filter of Django, a web-development framework.

If an application allows users to specify an unvalidated format for dates and passes this format to the date filter, e.g. {{ last_updated|date:user_date_format }}, then a malicious user could obtain any secret in the application's settings by specifying a settings key instead of a date format. e.g. SECRET_KEY instead of "j/m/Y".

To remedy this, the underlying function used by the date template filter, django.utils.formats.get_format(), now only allows accessing the date/time formatting settings.

For Debian 6 Squeeze, this issue has been fixed in python-django version 1.2.3-3+squeeze15.