AVG-57

Package python-django, python2-django
Status Fixed
Severity High
Type multiple issues
Affected 1.10.2-1
Fixed 1.10.3-1
Current 2.0.6-1 [extra]
1.11.13-1 [extra]
Ticket None
Created Tue Nov 1 15:00:11 2016
Issue Severity Remote Type Description
CVE-2016-9014 High Yes Access restriction bypass
Older versions of Django don't validate the Host header against settings.ALLOWED_HOSTS when settings.DEBUG=True. This makes them vulnerable to a DNS...
CVE-2016-9013 High Yes Authentication bypass
When running tests with an Oracle database, Django creates a temporary database user. In older versions, if a password isn't manually specified in the...
Date Advisory Package Description
16 Nov 2016 ASA-201611-15 python-django multiple issues
16 Nov 2016 ASA-201611-14 python2-django multiple issues
References
https://www.djangoproject.com/weblog/2016/nov/01/security-releases/