(RHSA-2016:0156) Moderate: python-django security update

2016-02-1001:06:15

access.redhat.com

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.007 Low

EPSS

Percentile

78.2%

JSON

Django is a high-level Python Web framework that encourages rapid
development and a clean, pragmatic design. It focuses on automating as much
as possible and adhering to the DRY (Don’t Repeat Yourself) principle.

An information-exposure flaw was found in the Django date filter. If an
application allowed users to provide non-validated date formats, a
malicious end user could expose application-settings data by providing
the relevant applications-settings key instead of a valid date format.
(CVE-2015-8213)

Red Hat would like to thank the Django project for reporting this issue.
Upstream acknowledges Ryan Butterfield as the original reporter.

All python-django users are advised to upgrade to these updated packages,
which contain backported patches to correct this issue.

OSVersionArchitecturePackageVersionFilename
RedHat7noarchpython-django-doc< 1.8.7-1.el7python-django-doc-1.8.7-1.el7.noarch.rpm
RedHat7noarchpython-django-bash-completion< 1.8.7-1.el7python-django-bash-completion-1.8.7-1.el7.noarch.rpm
RedHat7noarchpython-django< 1.8.7-1.el7python-django-1.8.7-1.el7.noarch.rpm
RedHat7srcpython-django< 1.8.7-1.el7python-django-1.8.7-1.el7.src.rpm

OS	Version	Architecture	Package	Version	Filename
RedHat	7	noarch	python-django-doc	< 1.8.7-1.el7	python-django-doc-1.8.7-1.el7.noarch.rpm
RedHat	7	noarch	python-django-bash-completion	< 1.8.7-1.el7	python-django-bash-completion-1.8.7-1.el7.noarch.rpm
RedHat	7	noarch	python-django	< 1.8.7-1.el7	python-django-1.8.7-1.el7.noarch.rpm
RedHat	7	src	python-django	< 1.8.7-1.el7	python-django-1.8.7-1.el7.src.rpm