Security releases issued: 1.9rc2, 1.8.7, 1.7.11

Posted by Tim Graham on Nov. 24, 2015

In accordance with our security release policy, the Django team is issuing multiple releases -- Django 1.7.11, 1.8.7, and 1.9 release candidate 2. These releases are now available on PyPI and our download page. These releases address a security issues detailed below. We encourage all users of Django to upgrade as soon as possible. The Django master branch has also been updated.

CVE-2015-8213: Fixed settings leak possibility in date template filter

If an application allows users to specify an unvalidated format for dates and passes this format to the date filter, e.g. {{ last_updated|date:user_date_format }}, then a malicious user could obtain any secret in the application's settings by specifying a settings key instead of a date format. e.g. "SECRET_KEY" instead of "j/m/Y".

To remedy this, the underlying function used by the date template filter, django.utils.formats.get_format(), now only allows accessing the date/time formatting settings.

Thanks Ryan Butterfield for reporting the issue.

Affected supported versions

  • Django master development branch
  • Django 1.9 (currently at release candidate status)
  • Django 1.8
  • Django 1.7

Per our supported versions policy, Django 1.6 and older are no longer receiving security updates.

This is likely to be the last release of the 1.7 series as it will be end-of-life upon the release of Django 1.9, scheduled for December 1.

Resolution

Patches have been applied to Django's master development branch and to the 1.7, 1.8, and 1.9 release branches, which resolve the issue described above. The patches may be obtained directly from the following changesets:

The following new releases have been issued:

The PGP key ID used for these releases is Tim Graham: 1E8ABDC773EDE252.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information.

Back to Top