CVE-2016-9013

NameCVE-2016-9013
DescriptionDjango 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-3835-1
NVD severityhigh (attack range: remote)
Debian Bugs842856

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-django (PTS)wheezy1.4.5-1+deb7u16vulnerable
wheezy (security)1.4.22-1+deb7u3vulnerable
jessie (security), jessie1.7.11-1+deb8u2fixed
stretch1:1.10.7-2fixed
buster, sid1:1.11.7-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-djangosource(unstable)1:1.10.3-1high842856
python-djangosourcejessie1.7.11-1+deb8u2highDSA-3835-1

Notes

[wheezy] - python-django <no-dsa> (Minor issue; specific to Oracle)
https://www.djangoproject.com/weblog/2016/nov/01/security-releases/
https://github.com/django/django/commit/da7910d4834726eca596af0a830762fa5fb2dfd9

Search for package or bug name: Reporting problems