Hi Nicholas, I put python-django into dla-needed CVE-2016-9014 on 2016-11-02 . You marked it as not-affected ("Vulnerable code intrduced in 1.7a1") on the same day but the wheezy version has: allowed_hosts = ['*'] if settings.DEBUG else settings.ALLOWED_HOSTS if validate_host(host, allowed_hosts): return host Isn't this also affected by a rebinding attack since we allow any host in debug mode? Cheers, -- Guido