CVE-2016-9014

NameCVE-2016-9014
DescriptionDjango before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-706-1, DSA-3835-1
NVD severitymedium (attack range: remote)
Debian Bugs842856

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-django (PTS)wheezy1.4.5-1+deb7u16vulnerable
wheezy (security)1.4.22-1+deb7u3fixed
jessie (security), jessie1.7.11-1+deb8u2fixed
stretch1:1.10.7-2fixed
buster, sid1:1.11.6-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-djangosource(unstable)1:1.10.3-1medium842856
python-djangosourcejessie1.7.11-1+deb8u2mediumDSA-3835-1
python-djangosourcewheezy1.4.22-1+deb7u2mediumDLA-706-1

Notes

https://www.djangoproject.com/weblog/2016/nov/01/security-releases/
https://github.com/django/django/commit/7fe2d8d940fdddd1a02c4754008a27060c4a03e9

Search for package or bug name: Reporting problems