[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

python-django and CVE-2016-9014

Hi Nicholas,
I put python-django into dla-needed CVE-2016-9014 on 2016-11-02 . You
marked it as not-affected ("Vulnerable code intrduced in 1.7a1") on the
same day but the wheezy version has:

    allowed_hosts = ['*'] if settings.DEBUG else settings.ALLOWED_HOSTS
    if validate_host(host, allowed_hosts):
        return host

Isn't this also affected by a rebinding attack since we allow any host
in debug mode?
 -- Guido

Reply to: