Ubuntu alert USN-3115-1 (python-django)
| From: | Marc Deslauriers <marc.deslauriers@canonical.com> | |
| To: | ubuntu-security-announce@lists.ubuntu.com | |
| Subject: | [USN-3115-1] Django vulnerabilities | |
| Date: | Tue, 1 Nov 2016 14:35:50 -0400 | |
| Message-ID: | <987b36dc-e652-ffce-684b-440b5bc1661d@canonical.com> |
========================================================================== Ubuntu Security Notice USN-3115-1 November 01, 2016 python-django vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.10 - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: Several security issues were fixed in Django. Software Description: - python-django: High-level Python web development framework Details: Marti Raudsepp discovered that Django incorrectly used a hardcoded password when running tests on an Oracle database. A remote attacker could possibly connect to the database while the tests are running and prevent the test user with the hardcoded password from being removed. (CVE-2016-9013) Aymeric Augustin discovered that Django incorrectly validated hosts when being run with the debug setting enabled. A remote attacker could possibly use this issue to perform DNS rebinding attacks. (CVE-2016-9014) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.10: python-django 1.8.7-1ubuntu8.1 python3-django 1.8.7-1ubuntu8.1 Ubuntu 16.04 LTS: python-django 1.8.7-1ubuntu5.4 python3-django 1.8.7-1ubuntu5.4 Ubuntu 14.04 LTS: python-django 1.6.1-2ubuntu0.16 Ubuntu 12.04 LTS: python-django 1.3.1-4ubuntu1.22 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-3115-1 CVE-2016-9013, CVE-2016-9014 Package Information: https://launchpad.net/ubuntu/+source/python-django/1.8.7-... https://launchpad.net/ubuntu/+source/python-django/1.8.7-... https://launchpad.net/ubuntu/+source/python-django/1.6.1-... https://launchpad.net/ubuntu/+source/python-django/1.3.1-... -- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security...