Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 566796 (CVE-2015-8213) - <dev-python/django-{1.7.11,1.8.7}: leak in date template filter (CVE-2015-8213)
Summary: <dev-python/django-{1.7.11,1.8.7}: leak in date template filter (CVE-2015-8213)
Status: RESOLVED FIXED
Alias: CVE-2015-8213
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://www.djangoproject.com/weblog/...
Whiteboard: B4 [noglsa/cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-11-25 11:00 UTC by Agostino Sarubbo
Modified: 2015-12-23 23:47 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-11-25 11:00:38 UTC
From ${URL} :

In accordance with our security release policy, the Django team is issuing multiple releases -- Django 1.7.11, 1.8.7, and 1.9 release candidate 2. These releases are now available on PyPI and our download page. These releases address a security issues detailed 
below. We encourage all users of Django to upgrade as soon as possible. The Django master branch has also been updated.

CVE-2015-8213: Fixed settings leak possibility in date template filter

If an application allows users to specify an unvalidated format for dates and passes this format to the date filter, e.g. {{ last_updated|date:user_date_format }}, then a malicious user could obtain any secret in the application's settings by specifying a 
settings key instead of a date format. e.g. "SECRET_KEY" instead of "j/m/Y".

To remedy this, the underlying function used by the date template filter, django.utils.formats.get_format(), now only allows accessing the date/time formatting settings.

Thanks Ryan Butterfield for reporting the issue.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Justin Lecher (RETIRED) gentoo-dev 2015-11-26 09:28:52 UTC
commit 9743051a9e723948215674eac1f2644c46f79d63
Author: Justin Lecher <jlec@gentoo.org>
Date:   Thu Nov 26 10:28:19 2015 +0100

    dev-python/django: Security bump

    Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=566796

    Package-Manager: portage-2.2.25
    Signed-off-by: Justin Lecher <jlec@gentoo.org>

    https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9743051a9e723948215674eac1f2644c46f79d63
Comment 2 Justin Lecher (RETIRED) gentoo-dev 2015-11-26 09:30:14 UTC
@arches, please stable

=dev-python/django-1.7.11
=dev-python/django-1.8.7
Comment 3 Agostino Sarubbo gentoo-dev 2015-11-30 09:35:22 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2015-11-30 09:35:48 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 5 Justin Lecher (RETIRED) gentoo-dev 2015-11-30 09:43:48 UTC
commit 2834d01676331015c67cfd02cec755c0025b0bc4
Author: Justin Lecher <jlec@gentoo.org>
Date:   Mon Nov 30 10:43:21 2015 +0100

    dev-python/django: Drop version vulnerable for CVE-2015-8213

    Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=566796

    Package-Manager: portage-2.2.25
    Signed-off-by: Justin Lecher <jlec@gentoo.org>

    https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2834d01676331015c67cfd02cec755c0025b0bc4
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2015-12-08 00:50:40 UTC
GLSA Vote: No
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2015-12-23 23:47:04 UTC
Thank you all. Closing as noglsa.