python-django and CVE-2016-9014

To: nicholas.luedtke@hpe.com
Cc: debian-lts@lists.debian.org
Subject: python-django and CVE-2016-9014
From: Guido Günther <agx@sigxcpu.org>
Date: Fri, 4 Nov 2016 08:37:24 +0100
Message-id: <[🔎] 20161104073724.7ejqqhe6yytnpfut@bogon.m.sigxcpu.org>
Mail-followup-to: Guido Günther <agx@sigxcpu.org>, nicholas.luedtke@hpe.com, debian-lts@lists.debian.org

Hi Nicholas,
I put python-django into dla-needed CVE-2016-9014 on 2016-11-02 . You
marked it as not-affected ("Vulnerable code intrduced in 1.7a1") on the
same day but the wheezy version has:

    allowed_hosts = ['*'] if settings.DEBUG else settings.ALLOWED_HOSTS
    if validate_host(host, allowed_hosts):
        return host

Isn't this also affected by a rebinding attack since we allow any host
in debug mode?
Cheers,
 -- Guido

Reply to:

Follow-Ups:
- Re: python-django and CVE-2016-9014
  - From: Chris Lamb <lamby@debian.org>

Prev by Date: Re: CVE-2016-9013 / django-python
Next by Date: Re: CVE-2016-9013 / django-python
Previous by thread: Re: CVE-2016-9013 / django-python
Next by thread: Re: python-django and CVE-2016-9014
Index(es):
- Date
- Thread