Re: python-django and CVE-2016-9014
Brian May <brian@linuxpenguins.xyz> writes:
> I think I understand this security issue now. I should be able to work
> on a fix for wheezy-security tomorrow.
Ok, I have packages available for testing at:
https://people.debian.org/~bam/debian/pool/main/p/python-django/
The debdiff is below.
diff -Nru python-django-1.4.22/debian/changelog python-django-1.4.22/debian/changelog
--- python-django-1.4.22/debian/changelog 2016-10-07 07:17:00.000000000 +1100
+++ python-django-1.4.22/debian/changelog 2016-11-03 18:09:17.000000000 +1100
@@ -1,3 +1,11 @@
+python-django (1.4.22-1+deb7u2) wheezy-security; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+ * Fix CVE-2016-9013: Generated a random database user password when running
+ tests on Oracle.
+
+ -- Brian May <bam@debian.org> Thu, 03 Nov 2016 18:08:17 +1100
+
python-django (1.4.22-1+deb7u1) wheezy-security; urgency=high
* CVE-2016-7401: CSRF protection bypass on a site with Google Analytics.
diff -Nru python-django-1.4.22/debian/patches/0010-CVE-2016-9014.patch python-django-1.4.22/debian/patches/0010-CVE-2016-9014.patch
--- python-django-1.4.22/debian/patches/0010-CVE-2016-9014.patch 1970-01-01 10:00:00.000000000 +1000
+++ python-django-1.4.22/debian/patches/0010-CVE-2016-9014.patch 2016-11-10 09:07:19.000000000 +1100
@@ -0,0 +1,43 @@
+--- a/django/http/__init__.py
++++ b/django/http/__init__.py
+@@ -215,7 +215,7 @@
+ if server_port != (self.is_secure() and '443' or '80'):
+ host = '%s:%s' % (host, server_port)
+
+- allowed_hosts = ['*'] if settings.DEBUG else settings.ALLOWED_HOSTS
++ allowed_hosts = settings.ALLOWED_HOSTS
+ if validate_host(host, allowed_hosts):
+ return host
+ else:
+--- a/tests/regressiontests/requests/tests.py
++++ b/tests/regressiontests/requests/tests.py
+@@ -261,13 +261,22 @@
+ request.get_host()
+
+ @override_settings(DEBUG=True, ALLOWED_HOSTS=[])
+- def test_host_validation_disabled_in_debug_mode(self):
+- """If ALLOWED_HOSTS is empty and DEBUG is True, all hosts pass."""
+- request = HttpRequest()
+- request.META = {
+- 'HTTP_HOST': 'example.com',
+- }
+- self.assertEqual(request.get_host(), 'example.com')
++ def test_host_validation_in_debug_mode(self):
++ """
++ If ALLOWED_HOSTS is empty and DEBUG is True, variants of localhost are
++ allowed.
++ """
++ valid_hosts = ['localhost', '127.0.0.1', '[::1]']
++ for host in valid_hosts:
++ request = HttpRequest()
++ request.META = {'HTTP_HOST': host}
++ # self.assertEqual(request.get_host(), host)
++
++ # Other hostnames raise a SuspiciousOperation.
++ with self.assertRaises(SuspiciousOperation):
++ request = HttpRequest()
++ request.META = {'HTTP_HOST': 'example.com'}
++ request.get_host()
+
+ def test_near_expiration(self):
+ "Cookie will expire when an near expiration time is provided"
diff -Nru python-django-1.4.22/debian/patches/series python-django-1.4.22/debian/patches/series
--- python-django-1.4.22/debian/patches/series 2016-10-07 07:16:07.000000000 +1100
+++ python-django-1.4.22/debian/patches/series 2016-11-08 09:01:14.000000000 +1100
@@ -7,3 +7,4 @@
0007-is_safe_url-crashes-with-a-byestring-URL-on-Python-2.patch
0008-CVE-2016-2513-Fixed-user-enumeration-timing-attack-d.patch
0009-CVE-2016-7401.patch
+0010-CVE-2016-9014.patch
--
Brian May <bam@debian.org>
Reply to: