On 2016-11-05 04:59, Raphael Hertzog wrote:
The whole case of this CVE is not about using settings.DEBUG in production
but about a possible cross-site scripting attack targetting a Django
developer who might have a Django application running locally in DEBUG
mode (and which might be configured to hit a remote database).
So I tend to agree with Guido, I would suspect that this CVE affects
Wheezy too and we need a clear explanation of why that would not be the
I think I understand this security issue now. I should be able to work on a fix for wheezy-security tomorrow.