USN-3115-1: Django vulnerabilities
1 November 2016
Several security issues were fixed in Django.
- python-django - High-level Python web development framework
Marti Raudsepp discovered that Django incorrectly used a hardcoded password
when running tests on an Oracle database. A remote attacker could possibly
connect to the database while the tests are running and prevent the test
user with the hardcoded password from being removed. (CVE-2016-9013)
Aymeric Augustin discovered that Django incorrectly validated hosts when
being run with the debug setting enabled. A remote attacker could possibly
use this issue to perform DNS rebinding attacks. (CVE-2016-9014)
The problem can be corrected by updating your system to the following package versions:
In general, a standard system update will make all the necessary changes.