[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2016-9013 / django-python

On Fri, 2016-11-04 at 08:31 +1100, Brian May wrote:
> Hello All,
> Looking at CVE-2016-9013 for django-python in wheezy-security, I see
> that:
> * It only occurs if you run the tests on an Oracle server.
> * The window for exploitation is reduced if you don't use the --keepdb
>   option. Not sure why you would want to use this option on a production system.
> * A test user is created on the Oracle server with a known password. Bad.
> * If you used the --keepdb option, the upstream patch doesn't "fix"
>   existing installs. Fix must be done manually and doesn't require the patch.
> In porting the patch across, I found it doesn't port easily. So the
> patch basically needs to be recreated. Shouldn't be too hard really - it
> is simple to understand. However I don't have an Oracle server to test
> the resultant patch against.
> So just wondering if anybody uses django-python with Oracle, and if this
> security fix warrants getting fixed in wheezy-security.
> Maybe this warrants a security advisory without a patch? Is that even
> possible?

I'm not convinced this even warrants a security advisory.  So far as I
can see, the old behaviour:
- is not triggered by normal usage, and cannot be triggered by a
  malicious user
- is documented, and can be overridden:


Ben Hutchings
The world is coming to an end.	Please log off.

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: