Bugzilla – Bug 955412
VUL-0: CVE-2015-8213: python-django: Settings leak possibility in ``date`` template filter
Last modified: 2016-04-27 19:47:29 UTC
Via pre-notification: You're receiving this message because you are on the security pre-notification list for the Django web framework; information about this list can be found in our security policy [1]. In accordance with that policy, on Tuesday, November 24, 2015 around 17:00 UTC, the Django project will be issuing a release to remedy a security issue reported to us. This message contains a description of the issue, a description of the changes which will be made to Django, and the patches which will be applied to Django. CVE-2015-8213: Settings leak possibility in ``date`` template filter ==================================================================== If an application allows users to specify an unvalidated format for dates and passes this format to the ``date`` filter, e.g. ``{{ last_updated|date:user_date_format }}``, then a malicious user could obtain any secret in the application's settings by specifying a settings key instead of a date format. e.g. ``"SECRET_KEY"`` instead of ``"j/m/Y"``. To remedy this, the underlying function used by the ``date`` template filter, ``django.utils.formats.get_format()``, now only allows accessing the date/time formatting settings. Affected supported versions =========================== * Django master development branch * Django 1.9 * Django 1.8 * Django 1.7 Per our supported versions policy [2], Django 1.6 and older are no longer receiving security updates. Resolution ========== Included with this email are patches implementing the changes described above for each affected version of Django. These patches will be applied to the Django development repository on the release date above and the following releases will be issued along with disclosure of the issues: * Django 1.9 release candidate 2 * Django 1.8.7 * Django 1.7.11 As Django's master development branch is in a pre-alpha state, users are strongly encouraged not to run production deployments from it; the disclosure announcement will nonetheless include a reminder of this and encourage any such users to upgrade immediately. [1] https://www.djangoproject.com/security/ [2] https://docs.djangoproject.com/en/dev/internals/release-process/#support ed-versions
CRD: 11-24-2015
Created attachment 656228 [details] date-leak-1.7.diff
Created attachment 656229 [details] date-leak-1.8.diff
Created attachment 656230 [details] date-leak-1.9.diff
Created attachment 656231 [details] date-leak-master.diff
Bernhard: can you handle that?
bugbot adjusting priority
backported to my stable/1.5.x and stable/1.6.x branches but will only push those to github and OBS after CRD.
is public now https://github.com/django/django/commit/9f83fc2f66f5a0bac7c291aec55df66050bb6991
This is an autogenerated message for OBS integration: This bug (955412) was mentioned in https://build.opensuse.org/request/show/346186 13.2 / python-Django https://build.opensuse.org/request/show/346188 13.1 / python-django
openSUSE-SU-2015:2199-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 955412 CVE References: CVE-2015-8213 Sources used: openSUSE 13.1 (src): python-django-1.5.12-0.2.17.1
openSUSE-SU-2015:2202-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 955412 CVE References: CVE-2015-8213 Sources used: openSUSE 13.2 (src): python-Django-1.6.11-3.13.1
SUSE-SU-2015:2327-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 955412 CVE References: CVE-2015-8213 Sources used: SUSE Enterprise Storage 1.0 (src): python-Django-1.6.11-11.1
fixed and released.
Releasing for SUSE-CLOUD-5, still running for Storage-2
Releasing for SES 2 which is the last affected product. Closing.
SUSE-SU-2016:0040-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 955412 CVE References: CVE-2015-8213 Sources used: SUSE OpenStack Cloud 5 (src): python-Django-1.6.11-13.1
SUSE-SU-2016:0044-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 937522,937523,941587,955412 CVE References: CVE-2015-5143,CVE-2015-5144,CVE-2015-5963,CVE-2015-8213 Sources used: SUSE Enterprise Storage 2 (src): python-Django-1.6.11-3.1