A vulnerability in date filter exposing information on application settings was found. If an application allows users to specify an unvalidated format for dates and passes this format to the ``date`` filter, e.g. ``{{ last_updated|date:user_date_format }}``, then a malicious user could obtain any secret in the application's settings by specifying a settings key instead of a date format. e.g. ``"SECRET_KEY"`` instead of ``"j/m/Y"``. Affected supported versions are Django 1.9, 1.8 and 1.7. External reference: https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/
Created attachment 1096569 [details] Django 1.7
Created attachment 1096570 [details] Django 1.8
Created attachment 1096571 [details] Django 1.9
Created attachment 1096572 [details] Django master
It's public now
https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/
Created python-django tracking bugs for this issue: Affects: fedora-all [bug 1285278] Affects: epel-all [bug 1285279]
python-django-1.8.7-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
python-django-1.6.11-4.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
Acknowledgements: Red Hat would like to thank the Django project for reporting this issue. Upstream acknowledges Ryan Butterfield as the original reporter.
This issue has been addressed in the following products: OpenStack 6 for RHEL 7 Via RHSA-2016:0129 https://rhn.redhat.com/errata/RHSA-2016-0129.html
This issue has been addressed in the following products: OpenStack 5 for RHEL 6 Via RHSA-2016:0158 https://rhn.redhat.com/errata/RHSA-2016-0158.html
This issue has been addressed in the following products: OpenStack 5 for RHEL 7 Via RHSA-2016:0157 https://rhn.redhat.com/errata/RHSA-2016-0157.html
This issue has been addressed in the following products: OpenStack 7 For RHEL 7 Via RHSA-2016:0156 https://rhn.redhat.com/errata/RHSA-2016-0156.html
This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 7.0 Operational Tools for RHEL 7 Via RHSA-2016:0360 https://rhn.redhat.com/errata/RHSA-2016-0360.html