Lucene search

K
debianDebianDEBIAN:DLA-349-1:1690A
HistoryNov 25, 2015 - 9:40 p.m.

[SECURITY] [DLA 349-1] python-django security update

2015-11-2521:40:45
lists.debian.org
5

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.007 Low

EPSS

Percentile

80.3%

Package : python-django
Version : 1.2.3-3+squeeze15
CVE ID : CVE-2015-8213

It was discovered that there was a potential settings leak in date
template filter of Django, a web-development framework.

If an application allows users to specify an unvalidated format for
dates and passes this format to the date filter, e.g.
{{ last_updated|date:user_date_format }}, then a malicious user
could obtain any secret in the application's settings by specifying
a settings key instead of a date format. e.g. "SECRET_KEY" instead
of "j/m/Y".

To remedy this, the underlying function used by the date template
filter, django.utils.formats.get_format(), now only allows accessing
the date/time formatting settings.

For Debian 6 Squeeze, this issue has been fixed in python-django
version 1.2.3-3+squeeze15.

Regards,


  ,''`.
 : :'  :     Chris Lamb
 `. `'`      [email protected] / chris-lamb.co.uk
   `-

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.007 Low

EPSS

Percentile

80.3%

Related for DEBIAN:DLA-349-1:1690A