Ubuntu Security Notice 3115-1 - Marti Raudsepp discovered that Django incorrectly used a hardcoded password when running tests on an Oracle database. A remote attacker could possibly connect to the database while the tests are running and prevent the test user with the hardcoded password from being removed. Aymeric Augustin discovered that Django incorrectly validated hosts when being run with the debug setting enabled. A remote attacker could possibly use this issue to perform DNS rebinding attacks. Various other issues were also addressed.
5c1c9d1d1e38a457538fe86e55cd49a207d781efdf2c75c50ac71022097da8d7
===========================================================================
Ubuntu Security Notice USN-3115-1
November 01, 2016
python-django vulnerabilities
===========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in Django.
Software Description:
- python-django: High-level Python web development framework
Details:
Marti Raudsepp discovered that Django incorrectly used a hardcoded password
when running tests on an Oracle database. A remote attacker could possibly
connect to the database while the tests are running and prevent the test
user with the hardcoded password from being removed. (CVE-2016-9013)
Aymeric Augustin discovered that Django incorrectly validated hosts when
being run with the debug setting enabled. A remote attacker could possibly
use this issue to perform DNS rebinding attacks. (CVE-2016-9014)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.10:
python-django 1.8.7-1ubuntu8.1
python3-django 1.8.7-1ubuntu8.1
Ubuntu 16.04 LTS:
python-django 1.8.7-1ubuntu5.4
python3-django 1.8.7-1ubuntu5.4
Ubuntu 14.04 LTS:
python-django 1.6.1-2ubuntu0.16
Ubuntu 12.04 LTS:
python-django 1.3.1-4ubuntu1.22
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3115-1
CVE-2016-9013, CVE-2016-9014
Package Information:
https://launchpad.net/ubuntu/+source/python-django/1.8.7-1ubuntu8.1
https://launchpad.net/ubuntu/+source/python-django/1.8.7-1ubuntu5.4
https://launchpad.net/ubuntu/+source/python-django/1.6.1-2ubuntu0.16
https://launchpad.net/ubuntu/+source/python-django/1.3.1-4ubuntu1.22