Mageia alert MGASA-2016-0368 (python-django)

From:
    	     
 
Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	     
 
updates-announce@ml.mageia.org 
Subject:
    	     
 
[updates-announce] MGASA-2016-0368: Updated python-django packages fix security vulnerabilities 
Date:
    	     
 
Sun, 6 Nov 2016 11:35:01 +0100
Message-ID:
    	     
 
<20161106103501.11FF99F7A3@duvel.mageia.org>
MGASA-2016-0368 - Updated python-django packages fix security vulnerabilities

Publication date: 06 Nov 2016
URL: http://advisories.mageia.org/MGASA-2016-0368.html
Type: security
Affected Mageia releases: 5
CVE: CVE-2016-9013,
     CVE-2016-9014

Description:
User with hardcoded password created when running tests on Oracle
When running tests with an Oracle database, Django creates a temporary
database user. In older versions, if a password isn't manually specified
in the database settings TEST dictionary, a hardcoded password is used.
This could allow an attacker with network access to the database server
to connect. (CVE-2016-9013)

DNS rebinding vulnerability when DEBUG=True
Older versions of Django don't validate the Host header against
settings.ALLOWED_HOSTS when settings.DEBUG=True. This makes them
vulnerable to a DNS rebinding attack. (CVE-2016-9014)

References:
- https://bugs.mageia.org/show_bug.cgi?id=19690
- https://www.djangoproject.com/weblog/2016/nov/01/security...
- https://www.ubuntu.com/usn/usn-3115-1/
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9013
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9014

SRPMS:
- 5/core/python-django-1.8.16-1.mga5