On Fri, 2016-11-04 at 08:31 +1100, Brian May wrote: > Hello All, > > Looking at CVE-2016-9013 for django-python in wheezy-security, I see > that: > > * It only occurs if you run the tests on an Oracle server. > * The window for exploitation is reduced if you don't use the --keepdb > option. Not sure why you would want to use this option on a production system. > * A test user is created on the Oracle server with a known password. Bad. > * If you used the --keepdb option, the upstream patch doesn't "fix" > existing installs. Fix must be done manually and doesn't require the patch. > > In porting the patch across, I found it doesn't port easily. So the > patch basically needs to be recreated. Shouldn't be too hard really - it > is simple to understand. However I don't have an Oracle server to test > the resultant patch against. > > So just wondering if anybody uses django-python with Oracle, and if this > security fix warrants getting fixed in wheezy-security. > > Maybe this warrants a security advisory without a patch? Is that even > possible? I'm not convinced this even warrants a security advisory. So far as I can see, the old behaviour: - is not triggered by normal usage, and cannot be triggered by a malicious user - is documented, and can be overridden: <https://sources.debian.net/src/python-django/1.4.5-1%2Bdeb7u16/docs/ref/settings.txt/#L669> Ben. -- Ben Hutchings The world is coming to an end. Please log off.
Description: This is a digitally signed message part