FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary
directories, which allows local users to gain privileges by pre-creating a
temporary directory with a user's uid. NOTE: this vulnerability exists
because of an incomplete fix for CVE-2014-1402.
mdeslaur> Introduced in 2.7.2, and in CVE-2014-1402 security fix.
mdeslaur> 2.7.2-2 in trusty switches to tempfile.mkdtemp which fixes the
mdeslaur> security issue, but isn't an ideal fix for proper caching.
Updated: 2016-03-23 03:40:56 UTC (commit 10817)