[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

CVE-2016-9013 / django-python

Hello All,

Looking at CVE-2016-9013 for django-python in wheezy-security, I see

* It only occurs if you run the tests on an Oracle server.
* The window for exploitation is reduced if you don't use the --keepdb
  option. Not sure why you would want to use this option on a production system.
* A test user is created on the Oracle server with a known password. Bad.
* If you used the --keepdb option, the upstream patch doesn't "fix"
  existing installs. Fix must be done manually and doesn't require the patch.

In porting the patch across, I found it doesn't port easily. So the
patch basically needs to be recreated. Shouldn't be too hard really - it
is simple to understand. However I don't have an Oracle server to test
the resultant patch against.

So just wondering if anybody uses django-python with Oracle, and if this
security fix warrants getting fixed in wheezy-security.

Maybe this warrants a security advisory without a patch? Is that even

Brian May <brian@linuxpenguins.xyz>

Reply to: