Re: python-django and CVE-2016-9014
On Fri, 04 Nov 2016, Chris Lamb wrote:
> Guido Günther wrote:
>
> > Isn't this also affected by a rebinding attack since we allow any host
> > in debug mode?
>
> If it helps, speaking as a regular Django developer, if you've got
> ``settings.DEBUG`` enabled in production you have much bigger problems
> than a rebinding attack…
The whole case of this CVE is not about using settings.DEBUG in production
but about a possible cross-site scripting attack targetting a Django
developer who might have a Django application running locally in DEBUG
mode (and which might be configured to hit a remote database).
So I tend to agree with Guido, I would suspect that this CVE affects
Wheezy too and we need a clear explanation of why that would not be the
case.
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
Reply to: