On 2016-11-05 04:59, Raphael Hertzog wrote:
The whole case of this CVE is not about using settings.DEBUG in production but about a possible cross-site scripting attack targetting a Django developer who might have a Django application running locally in DEBUG mode (and which might be configured to hit a remote database).
So I tend to agree with Guido, I would suspect that this CVE affects Wheezy too and we need a clear explanation of why that would not be the case.
I think I understand this security issue now. I should be able to work on a fix for wheezy-security tomorrow.
|