FEDORA-2015-a8c8f60fbd — security update for python-django

stable

python-django-1.8.7-1.fc23

FEDORA-2015-a8c8f60fbd created by mrunge 9 years ago for Fedora 23

This update fixes CVE-2015-8213: Fixed settings leak possibility in date template filter, more info can be found https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2015-a8c8f60fbd

This update has been submitted for testing by mrunge.

9 years ago

This update has been pushed to testing.

9 years ago

enaut commented & provided feedback 9 years ago

karma

I cannot reproduce the security flaw. I wrote a template containing only : { foo|date:bar }} and redered it with: render(request, 'test.html', {'foo':datetime.date.today(), 'bar':'"SECRET_KEY"'}) But with Django 1.8.4 and with Django 1.8.7 I get the same desired result. So no karma for the fixes but for the release.

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

9 years ago

This update has been submitted for stable by bodhi.

9 years ago

barracks510 commented & provided feedback 9 years ago

karma

No regressions... Works for me.

This update has been pushed to stable.

9 years ago

Please login to add feedback.

Metadata

Type

security

Severity

medium

Karma

Signed

Content Type

RPM

Test Gating

None

Autopush Settings

Unstable by Karma

-3

Stable by Karma

Stable by Time

disabled

Dates

submitted

9 years ago

in testing

9 years ago

in stable

9 years ago

Builds

python-django-1.8.7-1.fc23

BZ#1283553 CVE-2015-8213 python-django: Information leak through date template filter

BZ#1285278 CVE-2015-8213 python-django: Information leak through date template filter [fedora-all]

python-django-1.8.7-1.fc23

Automated Test Results

None