CVE-2016-9014

NameCVE-2016-9014
DescriptionDjango before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-706-1, DSA-3835-1
NVD severitymedium (attack range: remote)
Debian Bugs842856

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-django (PTS)jessie, jessie (security)1.7.11-1+deb8u3fixed
stretch1:1.10.7-2+deb9u1fixed
stretch (security)1:1.10.7-2+deb9u2fixed
buster, sid1:1.11.15-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-djangosource(unstable)1:1.10.3-1medium842856
python-djangosourcejessie1.7.11-1+deb8u2mediumDSA-3835-1
python-djangosourcewheezy1.4.22-1+deb7u2mediumDLA-706-1

Notes

https://www.djangoproject.com/weblog/2016/nov/01/security-releases/
https://github.com/django/django/commit/7fe2d8d940fdddd1a02c4754008a27060c4a03e9

Search for package or bug name: Reporting problems