Advisories ยป MGASA-2016-0368

Updated python-django packages fix security vulnerabilities

Publication date: 06 Nov 2016
Modification date: 06 Nov 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-9013 , CVE-2016-9014

Description

User with hardcoded password created when running tests on Oracle
When running tests with an Oracle database, Django creates a temporary
database user. In older versions, if a password isn't manually specified
in the database settings TEST dictionary, a hardcoded password is used.
This could allow an attacker with network access to the database server
to connect. (CVE-2016-9013)

DNS rebinding vulnerability when DEBUG=True
Older versions of Django don't validate the Host header against
settings.ALLOWED_HOSTS when settings.DEBUG=True. This makes them
vulnerable to a DNS rebinding attack. (CVE-2016-9014)
                

References

SRPMS

5/core