[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: python-django and CVE-2016-9014

On Fri, 04 Nov 2016, Chris Lamb wrote:
> Guido Günther wrote:
> 
> > Isn't this also affected by a rebinding attack since we allow any host
> > in debug mode?
> 
> If it helps, speaking as a regular Django developer, if you've got
> ``settings.DEBUG`` enabled in production you have much bigger problems
> than a rebinding attack…

The whole case of this CVE is not about using settings.DEBUG in production
but about a possible cross-site scripting attack targetting a Django
developer who might have a Django application running locally in DEBUG
mode (and which might be configured to hit a remote database).

So I tend to agree with Guido, I would suspect that this CVE affects
Wheezy too and we need a clear explanation of why that would not be the
case.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
Reply to: