=========================================================================== Ubuntu Security Notice USN-3115-1 November 01, 2016 python-django vulnerabilities =========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.10 - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: Several security issues were fixed in Django. Software Description: - python-django: High-level Python web development framework Details: Marti Raudsepp discovered that Django incorrectly used a hardcoded password when running tests on an Oracle database. A remote attacker could possibly connect to the database while the tests are running and prevent the test user with the hardcoded password from being removed. (CVE-2016-9013) Aymeric Augustin discovered that Django incorrectly validated hosts when being run with the debug setting enabled. A remote attacker could possibly use this issue to perform DNS rebinding attacks. (CVE-2016-9014) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.10: python-django 1.8.7-1ubuntu8.1 python3-django 1.8.7-1ubuntu8.1 Ubuntu 16.04 LTS: python-django 1.8.7-1ubuntu5.4 python3-django 1.8.7-1ubuntu5.4 Ubuntu 14.04 LTS: python-django 1.6.1-2ubuntu0.16 Ubuntu 12.04 LTS: python-django 1.3.1-4ubuntu1.22 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-3115-1 CVE-2016-9013, CVE-2016-9014 Package Information: https://launchpad.net/ubuntu/+source/python-django/1.8.7-1ubuntu8.1 https://launchpad.net/ubuntu/+source/python-django/1.8.7-1ubuntu5.4 https://launchpad.net/ubuntu/+source/python-django/1.6.1-2ubuntu0.16 https://launchpad.net/ubuntu/+source/python-django/1.3.1-4ubuntu1.22