Re: python-django and CVE-2016-9014

To: Chris Lamb <lamby@debian.org>
Cc: nicholas.luedtke@hpe.com, debian-lts@lists.debian.org
Subject: Re: python-django and CVE-2016-9014
From: Guido Günther <agx@sigxcpu.org>
Date: Fri, 4 Nov 2016 11:34:29 +0100
Message-id: <[🔎] 20161104103429.zdryfy4vsna7x5lo@bogon.m.sigxcpu.org>
Mail-followup-to: Guido Günther <agx@sigxcpu.org>, Chris Lamb <lamby@debian.org>, nicholas.luedtke@hpe.com, debian-lts@lists.debian.org
In-reply-to: <[🔎] 1478255563.797590.777261465.5375CE76@webmail.messagingengine.com>
References: <[🔎] 20161104073724.7ejqqhe6yytnpfut@bogon.m.sigxcpu.org> <[🔎] 1478255563.797590.777261465.5375CE76@webmail.messagingengine.com>

On Fri, Nov 04, 2016 at 10:32:43AM +0000, Chris Lamb wrote:
> Guido Günther wrote:
> 
> > Isn't this also affected by a rebinding attack since we allow any host
> > in debug mode?
> 
> If it helps, speaking as a regular Django developer, if you've got
> ``settings.DEBUG`` enabled in production you have much bigger problems
> than a rebinding attack…

I know but I'd like the information in the tracker to be correct.

Cheers,
 -- Guido

Reply to:

Follow-Ups:
- Re: python-django and CVE-2016-9014
  - From: Nicholas Luedtke <nicholas.luedtke@hpe.com>

References:
- python-django and CVE-2016-9014
  - From: Guido Günther <agx@sigxcpu.org>
- Re: python-django and CVE-2016-9014
  - From: Chris Lamb <lamby@debian.org>

Prev by Date: Re: python-django and CVE-2016-9014
Next by Date: Re: Regression problem, call for advice Re: Call for advice and testing of nss (and nspr) and intention to upload correction
Previous by thread: Re: python-django and CVE-2016-9014
Next by thread: Re: python-django and CVE-2016-9014
Index(es):
- Date
- Thread