[3.3] py-django: security issues (CVE-2016-9013, CVE-2016-9014)
CVE-2016-9013: User with hardcoded password created when running tests on Oracle
When running tests with an Oracle database, Django creates a temporary
database user.
In older versions, if a password isn’t manually specified in the
database settings TEST dictionary,
a hardcoded password is used. This could allow an attacker with network
access to the database server to connect.
CVE-2016-9014: DNS rebinding vulnerability when DEBUG=True
Older versions of Django don’t validate the Host header against
settings.ALLOWED_HOSTS when settings.DEBUG=True.
This makes them vulnerable to a DNS rebinding attack.
While Django doesn’t ship a module that allows remote code execution,
this is at least a cross-site scripting
vector, which could be quite serious if developers load a copy of the
production database in development or connect
to some production services for which there’s no development instance,
for example. If a project uses a package like
the django-debug-toolbar, then the attacker could execute arbitrary SQL,
which could be especially bad if the
developers connect to the database with a superuser account.
Fixed In Version:
Django 1.10.3, Django 1.9.11, Django 1.8.16
Reference:
https://www.djangoproject.com/weblog/2016/nov/01/security-releases/
(from redmine: issue id 6464, created on 2016-11-16, closed on 2016-11-22)
- Relations:
- parent #6461 (closed)
- Changesets:
- Revision 53034558 on 2016-11-21T13:08:57Z:
main/py-django: security upgrade to 1.8.16 (CVE-2016-9013, CVE-2016-9014)
Fixes #6464
(cherry picked from commit 9f1555ac10091515ef044cdee1fb20db8552f3f8)