[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 349-1] python-django security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : python-django
Version        : 1.2.3-3+squeeze15
CVE ID         : CVE-2015-8213

It was discovered that there was a potential settings leak in date
template filter of Django, a web-development framework.

If an application allows users to specify an unvalidated format for
dates and passes this format to the date filter, e.g.
{{ last_updated|date:user_date_format }}, then a malicious user
could obtain any secret in the application's settings by specifying
a settings key instead of a date format. e.g. "SECRET_KEY" instead
of "j/m/Y".

To remedy this, the underlying function used by the date template
filter, django.utils.formats.get_format(), now only allows accessing
the date/time formatting settings.

For Debian 6 Squeeze, this issue has been fixed in python-django
version 1.2.3-3+squeeze15.


Regards,

- -- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWVioCAAoJEB6VPifUMR5YEwUP/1E5szNqP3BYPV7yxacJ1qSF
6DIbSsiQcSmA+r0tYNpOk8e5DUj6KTcF1KnCIkoIxA1lLmsYR8GzNuTZnWC7nh8a
03VFrZkUKcFkOMivCFys93/NWPJnw7yPp5MPBByCtJMeLOHN76KZXa14GTM77ObN
y2AsBWN0sAaxvxRJfaBGyR4ElXjGZPa8YdkHvglZDtJz/3payRysOD2BXY5eXXXv
qHW69SFZudPqDqX9QgtuHk2CbvRUv6R2WnjEX7hkyihsgciRqIIYlZRI6DB/5Nyx
Y5dN2krOpi9wl0mJEOpKEWJrCzGkdSBZDjZC3NCcCY4fhdA0iuu79CEXJN1Gn1wo
kFhZVjOr7dxsNkNveR+WJSAI47Tcw5iDqOSLcfKUvbgQAg1+kSKlpN6FZhSVWHPx
49taUHxh2BSp5P67r+/Rb5BANwW2x5on/xP+a2EQxcir91csVSxyesYwmJH/9bv4
tWZCnQCevf8sH/WqhIuSl5QAWclXofKqMbqjFem/mEXpPw8XB/87SeSfoUQjwFJq
vxoiDd5eVrVvKmLe/4o0weQIjZ26OPJUHSVpzycIz1rJ5xWEtHrCRntMgguinnnr
IC4Wqs6uz28xE7pvtGZUWVt+3vl8OBeK0xwzvH5ia9dHVlXYLBOeBpZjTKWv6oyi
+SQcIoktzS4zpX1KZ3BD
=kbTg
-----END PGP SIGNATURE-----


Reply to: