[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: python-django and CVE-2016-9014

Brian May <brian@linuxpenguins.xyz> writes:

> I think I understand this security issue now. I should be able to work
> on a fix for wheezy-security tomorrow.

Ok, I have packages available for testing at:

https://people.debian.org/~bam/debian/pool/main/p/python-django/

The debdiff is below.

diff -Nru python-django-1.4.22/debian/changelog python-django-1.4.22/debian/changelog
--- python-django-1.4.22/debian/changelog	2016-10-07 07:17:00.000000000 +1100
+++ python-django-1.4.22/debian/changelog	2016-11-03 18:09:17.000000000 +1100
@@ -1,3 +1,11 @@
+python-django (1.4.22-1+deb7u2) wheezy-security; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+  * Fix CVE-2016-9013: Generated a random database user password when running
+    tests on Oracle.
+
+ -- Brian May <bam@debian.org>  Thu, 03 Nov 2016 18:08:17 +1100
+
 python-django (1.4.22-1+deb7u1) wheezy-security; urgency=high
 
   * CVE-2016-7401: CSRF protection bypass on a site with Google Analytics.
diff -Nru python-django-1.4.22/debian/patches/0010-CVE-2016-9014.patch python-django-1.4.22/debian/patches/0010-CVE-2016-9014.patch
--- python-django-1.4.22/debian/patches/0010-CVE-2016-9014.patch	1970-01-01 10:00:00.000000000 +1000
+++ python-django-1.4.22/debian/patches/0010-CVE-2016-9014.patch	2016-11-10 09:07:19.000000000 +1100
@@ -0,0 +1,43 @@
+--- a/django/http/__init__.py
++++ b/django/http/__init__.py
+@@ -215,7 +215,7 @@
+             if server_port != (self.is_secure() and '443' or '80'):
+                 host = '%s:%s' % (host, server_port)
+ 
+-        allowed_hosts = ['*'] if settings.DEBUG else settings.ALLOWED_HOSTS
++        allowed_hosts = settings.ALLOWED_HOSTS
+         if validate_host(host, allowed_hosts):
+             return host
+         else:
+--- a/tests/regressiontests/requests/tests.py
++++ b/tests/regressiontests/requests/tests.py
+@@ -261,13 +261,22 @@
+                 request.get_host()
+ 
+     @override_settings(DEBUG=True, ALLOWED_HOSTS=[])
+-    def test_host_validation_disabled_in_debug_mode(self):
+-        """If ALLOWED_HOSTS is empty and DEBUG is True, all hosts pass."""
+-        request = HttpRequest()
+-        request.META = {
+-            'HTTP_HOST': 'example.com',
+-        }
+-        self.assertEqual(request.get_host(), 'example.com')
++    def test_host_validation_in_debug_mode(self):
++        """
++        If ALLOWED_HOSTS is empty and DEBUG is True, variants of localhost are
++        allowed.
++        """
++        valid_hosts = ['localhost', '127.0.0.1', '[::1]']
++        for host in valid_hosts:
++            request = HttpRequest()
++            request.META = {'HTTP_HOST': host}
++            # self.assertEqual(request.get_host(), host)
++
++        # Other hostnames raise a SuspiciousOperation.
++        with self.assertRaises(SuspiciousOperation):
++            request = HttpRequest()
++            request.META = {'HTTP_HOST': 'example.com'}
++            request.get_host()
+ 
+     def test_near_expiration(self):
+         "Cookie will expire when an near expiration time is provided"
diff -Nru python-django-1.4.22/debian/patches/series python-django-1.4.22/debian/patches/series
--- python-django-1.4.22/debian/patches/series	2016-10-07 07:16:07.000000000 +1100
+++ python-django-1.4.22/debian/patches/series	2016-11-08 09:01:14.000000000 +1100
@@ -7,3 +7,4 @@
 0007-is_safe_url-crashes-with-a-byestring-URL-on-Python-2.patch
 0008-CVE-2016-2513-Fixed-user-enumeration-timing-attack-d.patch
 0009-CVE-2016-7401.patch
+0010-CVE-2016-9014.patch

-- 
Brian May <bam@debian.org>
Reply to: