CVE-2016-9013

NameCVE-2016-9013
DescriptionDjango 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-3835-1
NVD severityhigh
Debian Bugs842856

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-django (PTS)stretch1:1.10.7-2+deb9u9fixed
stretch (security)1:1.10.7-2+deb9u14fixed
buster, buster (security)1:1.11.29-1~deb10u1fixed
bullseye, sid2:2.2.24-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-djangosourcejessie1.7.11-1+deb8u2DSA-3835-1
python-djangosource(unstable)1:1.10.3-1842856

Notes

[wheezy] - python-django <no-dsa> (Minor issue; specific to Oracle)
https://www.djangoproject.com/weblog/2016/nov/01/security-releases/
https://github.com/django/django/commit/da7910d4834726eca596af0a830762fa5fb2dfd9

Search for package or bug name: Reporting problems