Django is vulnerable to information disclosure. This vulnerability is caused in the get_format function in utils/formats.py which allows a malicious user to obtain any secret in the application settings by specifying a settings key name instead of a date format.
lists.fedoraproject.org/pipermail/package-announce/2015-December/173375.html
lists.fedoraproject.org/pipermail/package-announce/2015-December/174770.html
lists.opensuse.org/opensuse-updates/2015-12/msg00014.html
lists.opensuse.org/opensuse-updates/2015-12/msg00017.html
rhn.redhat.com/errata/RHSA-2016-0129.html
rhn.redhat.com/errata/RHSA-2016-0156.html
rhn.redhat.com/errata/RHSA-2016-0157.html
rhn.redhat.com/errata/RHSA-2016-0158.html
www.debian.org/security/2015/dsa-3404
www.securityfocus.com/bid/77750
www.securitytracker.com/id/1034237
www.ubuntu.com/usn/USN-2816-1
access.redhat.com/security/updates/classification/#moderate
github.com/django/django/commit/316bc3fc9437c5960c24baceb93c73f1939711e4
rhn.redhat.com/errata/RHSA-2016-0156.html
www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/