Gentoo Linux Security Advisory 201408-13 - Multiple vulnerabilities have been found in Jinja2, allowing local attackers to escalate their privileges. Versions less than 2.7.3 are affected.
45f5f1798920b592c6c3fbfb7e03ae46684a6d440f2f5afdd03f111a7ff058f6
Ubuntu Security Notice 2301-1 - It was discovered that Jinja2 incorrectly handled temporary cache files and directories. A local attacker could use this issue to possibly gain privileges.
3a91ff5ebd149d7e0aab5ae4a428957385901e2a8fa50facfe13ef486970061a
Red Hat Security Advisory 2014-0748-01 - Jinja2 is a template engine written in pure Python. It provides a Django-inspired, non-XML syntax but supports inline expressions and an optional sandboxed environment. It was discovered that Jinja2 did not properly handle bytecode cache files stored in the system's temporary directory. A local attacker could use this flaw to alter the output of an application using Jinja2 and FileSystemBytecodeCache, and potentially execute arbitrary code with the privileges of that application. All Jinja2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. For the update to take effect, all applications using Jinja2 must be restarted.
41b87145f59f03dd674367516a968f2e87fc6aac2fb28885597f14cda1723d86
Red Hat Security Advisory 2014-0747-01 - Jinja2 is a template engine written in pure Python. It provides a Django-inspired, non-XML syntax but supports inline expressions and an optional sandboxed environment. It was discovered that Jinja2 did not properly handle bytecode cache files stored in the system's temporary directory. A local attacker could use this flaw to alter the output of an application using Jinja2 and FileSystemBytecodeCache, and potentially execute arbitrary code with the privileges of that application. All python-jinja2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. For the update to take effect, all applications using python-jinja2 must be restarted.
88953f562e5aade5e188e2e266cafb435bf8892b046ab5fa8f31b1e26eb81a91
Mandriva Linux Security Advisory 2014-096 - Jinja2, a template engine written in pure python, was found to use /tmp as a default directory for jinja2.bccache.FileSystemBytecodeCache, which is insecure because the /tmp directory is world-writable and the filenames used like 'FileSystemBytecodeCache' are often predictable. A malicious user could exploit this bug to execute arbitrary code as another user.
44d1301723529558867f49387a9bf314f26c0cfebb92615d2c4d9e985a3c2f81