Upstream has issued an advisory today (November 24): https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/ The issue is fixed in 1.8.7. Reproducible: Steps to Reproduce:
Ubuntu has issued an advisory for this on November 24: http://www.ubuntu.com/usn/usn-2816-1/
URL: (none) => http://lwn.net/Vulnerabilities/665808/
Mageia 5 and Cauldron updated to 1.8.7 Packages in 5/core/updates_testing : python3-django-1.8.7-1.mga5.noarch python-django-doc-1.8.7-1.mga5.noarch python-django-bash-completion-1.8.7-1.mga5.noarch python-django-1.8.7-1.mga5.noarch from python-django-1.8.7-1.mga5.src
Assignee: makowski.mageia => security
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=13251#c6 Advisory: ======================== Updated python-django packages fix security vulnerability: If an application allows users to specify an unvalidated format for dates and passes this format to the date filter, then a malicious user could obtain any secret in the application's settings by specifying a settings key instead of a date format (CVE-2015-8213). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8213 https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/ http://www.ubuntu.com/usn/usn-2816-1/
Assignee: security => qa-bugsWhiteboard: (none) => has_procedure
No issues with installation or running the application. [brian@localhost ~]$ python Python 2.7.9 (default, Dec 14 2014, 10:10:27) [GCC 4.9.2] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import django >>> print(django.get_version()) 1.8.7 >>>
CC: (none) => brtians1Whiteboard: has_procedure => has_procedure MGA5-32-OK
fyi - did a little bit more: [brian@localhost pycode]$ django-admin startproject mysite [brian@localhost pycode]$ ls mysite/ [brian@localhost pycode]$ cd mysite [brian@localhost mysite]$ ls manage.py* mysite/ [brian@localhost mysite]$ python manage.py migrate Operations to perform: Synchronize unmigrated apps: staticfiles, messages Apply all migrations: admin, contenttypes, auth, sessions Synchronizing apps without migrations: Creating tables... Running deferred SQL... Installing custom SQL... Running migrations: Rendering model states... DONE Applying contenttypes.0001_initial... OK Applying auth.0001_initial... OK Applying admin.0001_initial... OK Applying contenttypes.0002_remove_content_type_name... OK Applying auth.0002_alter_permission_name_max_length... OK Applying auth.0003_alter_user_email_max_length... OK Applying auth.0004_alter_user_username_opts... OK Applying auth.0005_alter_user_last_login_null... OK Applying auth.0006_require_contenttypes_0002... OK Applying sessions.0001_initial... OK [brian@localhost mysite]$
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0463.html
Status: NEW => RESOLVEDResolution: (none) => FIXED