[Buildroot] [PATCH] python-django: security bump to version 1.10.7
Peter Korsgaard
peter at korsgaard.com
Thu Apr 27 19:27:57 UTC 2017
>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:
> Fixes the following security issues:
> Since 1.10.3:
> CVE-2016-9013 - User with hardcoded password created when running tests on
> Oracle
> Marti Raudsepp reported that a user with a hardcoded password is created
> when running tests with an Oracle database.
> CVE-2016-9014 - DNS rebinding vulnerability when DEBUG=True
> Aymeric Augustin discovered that Django does not properly validate the Host
> header against settings.ALLOWED_HOSTS when the debug setting is enabled. A
> remote attacker can take advantage of this flaw to perform DNS rebinding
> attacks.
> Since 1.10.7:
> CVE-2017-7233 - Open redirect and possible XSS attack via user-supplied
> numeric redirect URLs
> It was discovered that is_safe_url() does not properly handle certain
> numeric URLs as safe. A remote attacker can take advantage of this flaw to
> perform XSS attacks or to use a Django server as an open redirect.
> CVE-2017-7234 - Open redirect vulnerability in django.views.static.serve()
> Phithon from Chaitin Tech discovered an open redirect vulnerability in the
> django.views.static.serve() view. Note that this view is not intended for
> production use.
> Cc: Oli Vogt <oli.vogt.pub01 at gmail.com>
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
Committed, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list