CVE-2016-9013 / django-python

To: debian-lts@lists.debian.org
Subject: CVE-2016-9013 / django-python
From: Brian May <brian@linuxpenguins.xyz>
Date: Fri, 04 Nov 2016 08:31:04 +1100
Message-id: <[🔎] 878tt0gsiv.fsf@prune.linuxpenguins.xyz>

Hello All,

Looking at CVE-2016-9013 for django-python in wheezy-security, I see
that:

* It only occurs if you run the tests on an Oracle server.
* The window for exploitation is reduced if you don't use the --keepdb
  option. Not sure why you would want to use this option on a production system.
* A test user is created on the Oracle server with a known password. Bad.
* If you used the --keepdb option, the upstream patch doesn't "fix"
  existing installs. Fix must be done manually and doesn't require the patch.

In porting the patch across, I found it doesn't port easily. So the
patch basically needs to be recreated. Shouldn't be too hard really - it
is simple to understand. However I don't have an Oracle server to test
the resultant patch against.

So just wondering if anybody uses django-python with Oracle, and if this
security fix warrants getting fixed in wheezy-security.

Maybe this warrants a security advisory without a patch? Is that even
possible?

Regards
-- 
Brian May <brian@linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/

Reply to:

Follow-Ups:
- Re: CVE-2016-9013 / django-python
  - From: Ben Hutchings <ben@decadent.org.uk>

Prev by Date: Debian LTS Report for October 2016
Next by Date: Re: CVE-2016-9013 / django-python
Previous by thread: Debian LTS Report for October 2016
Next by thread: Re: CVE-2016-9013 / django-python
Index(es):
- Date
- Thread