From ${URL} : In accordance with our security release policy, the Django team is issuing multiple releases -- Django 1.7.11, 1.8.7, and 1.9 release candidate 2. These releases are now available on PyPI and our download page. These releases address a security issues detailed below. We encourage all users of Django to upgrade as soon as possible. The Django master branch has also been updated. CVE-2015-8213: Fixed settings leak possibility in date template filter If an application allows users to specify an unvalidated format for dates and passes this format to the date filter, e.g. {{ last_updated|date:user_date_format }}, then a malicious user could obtain any secret in the application's settings by specifying a settings key instead of a date format. e.g. "SECRET_KEY" instead of "j/m/Y". To remedy this, the underlying function used by the date template filter, django.utils.formats.get_format(), now only allows accessing the date/time formatting settings. Thanks Ryan Butterfield for reporting the issue. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
commit 9743051a9e723948215674eac1f2644c46f79d63 Author: Justin Lecher <jlec@gentoo.org> Date: Thu Nov 26 10:28:19 2015 +0100 dev-python/django: Security bump Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=566796 Package-Manager: portage-2.2.25 Signed-off-by: Justin Lecher <jlec@gentoo.org> https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9743051a9e723948215674eac1f2644c46f79d63
@arches, please stable =dev-python/django-1.7.11 =dev-python/django-1.8.7
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
commit 2834d01676331015c67cfd02cec755c0025b0bc4 Author: Justin Lecher <jlec@gentoo.org> Date: Mon Nov 30 10:43:21 2015 +0100 dev-python/django: Drop version vulnerable for CVE-2015-8213 Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=566796 Package-Manager: portage-2.2.25 Signed-off-by: Justin Lecher <jlec@gentoo.org> https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2834d01676331015c67cfd02cec755c0025b0bc4
GLSA Vote: No
Thank you all. Closing as noglsa.