Upstream has issued an advisory today (November 1): https://www.djangoproject.com/weblog/2016/nov/01/security-releases/ The issues are fixed in 1.8.16. Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Ubuntu has issued an advisory for this today (November 1): https://www.ubuntu.com/usn/usn-3115-1/
python-django-1.8.16-1.mga5.noarch.rpm python-django-bash-completion-1.8.16-1.mga5.noarch.rpm python3-django-1.8.16-1.mga5.noarch.rpm python-django-doc-1.8.16-1.mga5.noarch.rpm from python-django-1.8.16-1.mga5.src.rpm Are in 5/core/updates_testing Cauldron freeze push asked Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=17860#c7 Advisory CVE-2016-9013: User with hardcoded password created when running tests on Oracle When running tests with an Oracle database, Django creates a temporary database user. In older versions, if a password isn't manually specified in the database settings TEST dictionary, a hardcoded password is used. This could allow an attacker with network access to the database server to connect. CVE-2016-9014: DNS rebinding vulnerability when DEBUG=True Older versions of Django don't validate the Host header against settings.ALLOWED_HOSTS when settings.DEBUG=True. This makes them vulnerable to a DNS rebinding attack. Ref : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9013 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9014 https://www.djangoproject.com/weblog/2016/nov/01/security-releases/ https://www.ubuntu.com/usn/usn-3115-1/
Assignee: makowski.mageia => qa-bugsWhiteboard: MGA5TOO => MGA5TOO has_procedure
Version: Cauldron => 5Whiteboard: MGA5TOO has_procedure => has_procedure
URL: (none) => http://lwn.net/Vulnerabilities/705373/
MGA55-32 on Acer D620 Xfce No installation issues. Test procedure as refered in Comment 2 works as a breeze.
CC: (none) => herman.viaeneWhiteboard: has_procedure => has_procedure MGA5-32-OK
Advisory uploaded.
CC: (none) => lewyssmithWhiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK advisory
Testing M5-64 real H/W Using the test procedure linked in Comment 2, both before & after the update to: python3-django-1.8.16-1.mga5 python-django-1.8.16-1.mga5 python-django-bash-completion-1.8.16-1.mga5 python-django-doc-1.8.16-1.mga5 Results were essentially identical, with the trivial difference:- BEFORE the update: $ python[3] manage.py runserver ... Quit the server with CONTROL-C. [06/Nov/2016 08:21:15] "GET / HTTP/1.1" 200 1767 [06/Nov/2016 08:21:15] "GET /favicon.ico HTTP/1.1" 404 1936 ^C AFTER the update, these two lines were not present. But this is clearly OK. Validating the update.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-32-OK advisory => has_procedure MGA5-32-OK advisory MGA5-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0368.html
Status: NEW => RESOLVEDResolution: (none) => FIXED