Re: python-django and CVE-2016-9014

To: debian-lts@lists.debian.org
Subject: Re: python-django and CVE-2016-9014
From: Brian May <brian@linuxpenguins.xyz>
Date: Mon, 07 Nov 2016 18:01:57 +1100
Message-id: <[🔎] 77ec62bddf0a4ecdb9198464e3580395@linuxpenguins.xyz>
In-reply-to: <[🔎] 20161104175943.jikbgwr2mfrrq7v5@home.ouaza.com>
References: <[🔎] 20161104073724.7ejqqhe6yytnpfut@bogon.m.sigxcpu.org> <[🔎] 1478255563.797590.777261465.5375CE76@webmail.messagingengine.com> <[🔎] 20161104175943.jikbgwr2mfrrq7v5@home.ouaza.com>

On 2016-11-05 04:59, Raphael Hertzog wrote:

The whole case of this CVE is not about using settings.DEBUG in production
but about a possible cross-site scripting attack targetting a Django
developer who might have a Django application running locally in DEBUG
mode (and which might be configured to hit a remote database).

So I tend to agree with Guido, I would suspect that this CVE affects
Wheezy too and we need a clear explanation of why that would not be the
case.

I think I understand this security issue now. I should be able to work on a fix for wheezy-security tomorrow.

Reply to:

Follow-Ups:
- Re: python-django and CVE-2016-9014
  - From: Brian May <bam@debian.org>

References:
- python-django and CVE-2016-9014
  - From: Guido Günther <agx@sigxcpu.org>
- Re: python-django and CVE-2016-9014
  - From: Chris Lamb <lamby@debian.org>
- Re: python-django and CVE-2016-9014
  - From: Raphael Hertzog <hertzog@debian.org>

Prev by Date: Re: Regression problem, call for advice Re: Call for advice and testing of nss (and nspr) and intention to upload correction
Next by Date: Re: [Pkg-chromium-maint] Bug#843624: chromium: since upgrade to latest libnss3-1d chromium shows only "Aw, Snap!"
Previous by thread: Re: python-django and CVE-2016-9014
Next by thread: Re: python-django and CVE-2016-9014
Index(es):
- Date
- Thread