Debian: DSA-3835-1: python-django security update

    Date26 Apr 2017
    CategoryDebian
    68
    Posted ByLinuxSecurity Advisories
    Several vulnerabilities were discovered in Django, a high-level Python web development framework. The Common Vulnerabilities and Exposures project identifies the following problems:
    
    - -------------------------------------------------------------------------
    Debian Security Advisory DSA-3835-1                   This email address is being protected from spambots. You need JavaScript enabled to view it.
    https://www.debian.org/security/                     Salvatore Bonaccorso
    April 26, 2017                        https://www.debian.org/security/faq
    - -------------------------------------------------------------------------
    
    Package        : python-django
    CVE ID         : CVE-2016-9013 CVE-2016-9014 CVE-2017-7233 CVE-2017-7234
    Debian Bug     : 842856 859515 859516
    
    Several vulnerabilities were discovered in Django, a high-level Python
    web development framework. The Common Vulnerabilities and Exposures
    project identifies the following problems:
    
    CVE-2016-9013
    
        Marti Raudsepp reported that a user with a hardcoded password is
        created when running tests with an Oracle database.
    
    CVE-2016-9014
    
        Aymeric Augustin discovered that Django does not properly validate
        the Host header against settings.ALLOWED_HOSTS when the debug
        setting is enabled. A remote attacker can take advantage of this
        flaw to perform DNS rebinding attacks.
    
    CVE-2017-7233
    
        It was discovered that is_safe_url() does not properly handle
        certain numeric URLs as safe. A remote attacker can take advantage
        of this flaw to perform XSS attacks or to use a Django server as an
        open redirect.
    
    CVE-2017-7234
    
        Phithon from Chaitin Tech discovered an open redirect vulnerability
        in the django.views.static.serve() view. Note that this view is not
        intended for production use.
    
    For the stable distribution (jessie), these problems have been fixed in
    version 1.7.11-1+deb8u2.
    
    We recommend that you upgrade your python-django packages.
    
    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/
    
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"67","type":"x","order":"1","pct":57.26,"resources":[]},{"id":"88","title":"Should be more technical","votes":"16","type":"x","order":"2","pct":13.68,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"34","type":"x","order":"3","pct":29.06,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.