Bug 1283553 (CVE-2015-8213)

Summary: CVE-2015-8213 python-django: Information leak through date template filter
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, aortega, apevec, ayoung, bkearney, cbillett, chrisw, dallan, gkotton, gmollett, jschluet, kseifried, lars, lhh, lpeer, markmc, mrunge, rbryant, sclewis, security-response-team, sisharma, slong, tdecacqu, tomckay, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python-django 1.9rc2, python-django 1.8.7, python-django 1.7.11 Doc Type: Bug Fix
Doc Text:
An information-exposure flaw was found in the Django date filter. If an application allowed users to provide non-validated date formats, a malicious end user could expose application-settings data by providing the relevant applications-settings key instead of a valid date format.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-09 22:20:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1285278, 1285279, 1285931, 1285932, 1285933, 1285934, 1285935, 1286327, 1297644, 1297645    
Bug Blocks: 1283555    
Attachments:
Description Flags
Django 1.7
none
Django 1.8
none
Django 1.9
none
Django master none

Description Adam Mariš 2015-11-19 09:34:44 UTC 
A vulnerability in date filter exposing information on application settings was found. If an application allows users to specify an unvalidated format for dates and passes this format to the ``date`` filter, e.g. ``{{ last_updated|date:user_date_format }}``, then a malicious user could obtain any secret in the application's settings by specifying a settings key instead of a date format. e.g. ``"SECRET_KEY"`` instead of ``"j/m/Y"``.

Affected supported versions are Django 1.9, 1.8 and 1.7.

External reference:

https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/
Comment 1 Adam Mariš 2015-11-19 09:36:08 UTC 
Created attachment 1096569 [details]
Django 1.7
Comment 2 Adam Mariš 2015-11-19 09:36:46 UTC 
Created attachment 1096570 [details]
Django 1.8
Comment 3 Adam Mariš 2015-11-19 09:37:14 UTC 
Created attachment 1096571 [details]
Django 1.9
Comment 4 Adam Mariš 2015-11-19 09:37:36 UTC 
Created attachment 1096572 [details]
Django master
Comment 5 Matthias Runge 2015-11-25 10:14:15 UTC 
It's public now
Comment 6 Matthias Runge 2015-11-25 10:15:35 UTC 
https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/
Comment 7 Adam Mariš 2015-11-25 10:49:52 UTC 
Created python-django tracking bugs for this issue:

Affects: fedora-all [bug 1285278]
Affects: epel-all [bug 1285279]
Comment 10 Fedora Update System 2015-12-07 20:29:31 UTC 
python-django-1.8.7-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2015-12-24 05:06:56 UTC 
python-django-1.6.11-4.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
Comment 13 Garth Mollett 2016-02-02 05:23:32 UTC 
Acknowledgements:

Red Hat would like to thank the Django project for reporting this issue. Upstream acknowledges Ryan Butterfield as the original reporter.
Comment 14 errata-xmlrpc 2016-02-08 06:50:24 UTC 
This issue has been addressed in the following products:

  OpenStack 6 for RHEL 7

Via RHSA-2016:0129 https://rhn.redhat.com/errata/RHSA-2016-0129.html
Comment 15 errata-xmlrpc 2016-02-10 01:16:21 UTC 
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 6

Via RHSA-2016:0158 https://rhn.redhat.com/errata/RHSA-2016-0158.html
Comment 16 errata-xmlrpc 2016-02-10 01:16:46 UTC 
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 7

Via RHSA-2016:0157 https://rhn.redhat.com/errata/RHSA-2016-0157.html
Comment 17 errata-xmlrpc 2016-02-10 01:17:07 UTC 
This issue has been addressed in the following products:

  OpenStack 7 For RHEL 7

Via RHSA-2016:0156 https://rhn.redhat.com/errata/RHSA-2016-0156.html
Comment 18 errata-xmlrpc 2016-03-08 06:35:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 7.0 Operational Tools for RHEL 7

Via RHSA-2016:0360 https://rhn.redhat.com/errata/RHSA-2016-0360.html