Bug 955412 - (CVE-2015-8213) VUL-0: CVE-2015-8213: python-django: Settings leak possibility in ``date`` template filter
(CVE-2015-8213)
VUL-0: CVE-2015-8213: python-django: Settings leak possibility in ``date`` te...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:NVD:CVE-2015-8213:5.0:(AV:N/AC...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-17 13:28 UTC by Sebastian Krahmer
Modified: 2016-04-27 19:47 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
date-leak-1.7.diff (2.80 KB, patch)
2015-11-17 13:33 UTC, Sebastian Krahmer
Details | Diff
date-leak-1.8.diff (3.92 KB, patch)
2015-11-17 13:33 UTC, Sebastian Krahmer
Details | Diff
date-leak-1.9.diff (3.85 KB, patch)
2015-11-17 13:34 UTC, Sebastian Krahmer
Details | Diff
date-leak-master.diff (3.84 KB, patch)
2015-11-17 13:34 UTC, Sebastian Krahmer
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krahmer 2015-11-17 13:28:23 UTC
Via pre-notification:

You're receiving this message because you are on the security
pre-notification list for the Django web framework; information about
this list can be found in our security policy [1].

In accordance with that policy, on Tuesday, November 24, 2015 around
17:00 UTC, the Django project will be issuing a release to remedy a
security issue reported to us. This message contains a description of
the issue, a description of the changes which will be made to Django,
and the patches which will be applied to Django.

CVE-2015-8213: Settings leak possibility in ``date`` template filter
====================================================================

If an application allows users to specify an unvalidated format for
dates and passes this format to the ``date`` filter, e.g.
``{{ last_updated|date:user_date_format }}``, then a malicious user
could obtain any secret in the application's settings by specifying a
settings key instead of a date format. e.g. ``"SECRET_KEY"`` instead
of ``"j/m/Y"``.

To remedy this, the underlying function used by the ``date`` template
filter, ``django.utils.formats.get_format()``, now only allows
accessing the date/time formatting settings.

Affected supported versions
===========================

* Django master development branch
* Django 1.9
* Django 1.8
* Django 1.7

Per our supported versions policy [2], Django 1.6 and older are no
longer receiving security updates.
Resolution
==========

Included with this email are patches implementing the changes
described above for each affected version of Django. These patches
will be applied to the Django development repository on the release
date above and the following releases will be issued along with
disclosure of the issues:

* Django 1.9 release candidate 2
* Django 1.8.7
* Django 1.7.11

As Django's master development branch is in a pre-alpha state, users are
strongly encouraged not to run production deployments from it; the
disclosure announcement will nonetheless include a reminder of this
and encourage any such users to upgrade immediately.

[1] https://www.djangoproject.com/security/
[2]
https://docs.djangoproject.com/en/dev/internals/release-process/#support
ed-versions
Comment 1 Sebastian Krahmer 2015-11-17 13:30:03 UTC
CRD: 11-24-2015
Comment 2 Sebastian Krahmer 2015-11-17 13:33:17 UTC
Created attachment 656228 [details]
date-leak-1.7.diff
Comment 3 Sebastian Krahmer 2015-11-17 13:33:54 UTC
Created attachment 656229 [details]
date-leak-1.8.diff
Comment 4 Sebastian Krahmer 2015-11-17 13:34:13 UTC
Created attachment 656230 [details]
date-leak-1.9.diff
Comment 5 Sebastian Krahmer 2015-11-17 13:34:35 UTC
Created attachment 656231 [details]
date-leak-master.diff
Comment 6 Vincent Untz 2015-11-17 15:00:02 UTC
Bernhard: can you handle that?
Comment 7 Swamp Workflow Management 2015-11-17 23:01:06 UTC
bugbot adjusting priority
Comment 8 Bernhard Wiedemann 2015-11-18 09:55:32 UTC
backported to my stable/1.5.x and stable/1.6.x branches
but will only push those to github and OBS after CRD.
Comment 12 Bernhard Wiedemann 2015-11-25 08:37:41 UTC
is public now
https://github.com/django/django/commit/9f83fc2f66f5a0bac7c291aec55df66050bb6991
Comment 15 Bernhard Wiedemann 2015-11-25 09:00:09 UTC
This is an autogenerated message for OBS integration:
This bug (955412) was mentioned in
https://build.opensuse.org/request/show/346186 13.2 / python-Django
https://build.opensuse.org/request/show/346188 13.1 / python-django
Comment 17 Swamp Workflow Management 2015-12-04 14:11:24 UTC
openSUSE-SU-2015:2199-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 955412
CVE References: CVE-2015-8213
Sources used:
openSUSE 13.1 (src):    python-django-1.5.12-0.2.17.1
Comment 18 Swamp Workflow Management 2015-12-04 14:12:08 UTC
openSUSE-SU-2015:2202-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 955412
CVE References: CVE-2015-8213
Sources used:
openSUSE 13.2 (src):    python-Django-1.6.11-3.13.1
Comment 19 Swamp Workflow Management 2015-12-19 15:16:05 UTC
SUSE-SU-2015:2327-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 955412
CVE References: CVE-2015-8213
Sources used:
SUSE Enterprise Storage 1.0 (src):    python-Django-1.6.11-11.1
Comment 20 Victor Pereira 2015-12-30 08:01:41 UTC
fixed and released.
Comment 21 Andreas Stieger 2016-01-07 09:02:04 UTC
Releasing for SUSE-CLOUD-5, still running for Storage-2
Comment 23 Andreas Stieger 2016-01-07 11:07:34 UTC
Releasing for SES 2 which is the last affected product. Closing.
Comment 24 Swamp Workflow Management 2016-01-07 12:11:26 UTC
SUSE-SU-2016:0040-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 955412
CVE References: CVE-2015-8213
Sources used:
SUSE OpenStack Cloud 5 (src):    python-Django-1.6.11-13.1
Comment 25 Swamp Workflow Management 2016-01-07 14:12:36 UTC
SUSE-SU-2016:0044-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 937522,937523,941587,955412
CVE References: CVE-2015-5143,CVE-2015-5144,CVE-2015-5963,CVE-2015-8213
Sources used:
SUSE Enterprise Storage 2 (src):    python-Django-1.6.11-3.1