Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Django vulnerabilities
Informations
Name USN-3115-1 First vendor Publication 2016-11-01
Vendor Ubuntu Last vendor Modification 2016-11-01
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 7.5 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.10 - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS

Summary:

Several security issues were fixed in Django.

Software Description: - python-django: High-level Python web development framework

Details:

Marti Raudsepp discovered that Django incorrectly used a hardcoded password when running tests on an Oracle database. A remote attacker could possibly connect to the database while the tests are running and prevent the test user with the hardcoded password from being removed. (CVE-2016-9013)

Aymeric Augustin discovered that Django incorrectly validated hosts when being run with the debug setting enabled. A remote attacker could possibly use this issue to perform DNS rebinding attacks. (CVE-2016-9014)

Update instructions:

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.10:
python-django 1.8.7-1ubuntu8.1
python3-django 1.8.7-1ubuntu8.1

Ubuntu 16.04 LTS:
python-django 1.8.7-1ubuntu5.4
python3-django 1.8.7-1ubuntu5.4

Ubuntu 14.04 LTS:
python-django 1.6.1-2ubuntu0.16

Ubuntu 12.04 LTS:
python-django 1.3.1-4ubuntu1.22

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-3115-1
CVE-2016-9013, CVE-2016-9014

Package Information:
https://launchpad.net/ubuntu/+source/python-django/1.8.7-1ubuntu8.1
https://launchpad.net/ubuntu/+source/python-django/1.8.7-1ubuntu5.4
https://launchpad.net/ubuntu/+source/python-django/1.6.1-2ubuntu0.16
https://launchpad.net/ubuntu/+source/python-django/1.3.1-4ubuntu1.22

Original Source

Url : http://www.ubuntu.com/usn/USN-3115-1

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-798 Use of Hard-coded Credentials (CWE/SANS Top 25)
50 % CWE-264 Permissions, Privileges, and Access Controls

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 30
Os 4
Os 2

Nessus® Vulnerability Scanner

Date Description
2017-04-27 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-3835.nasl - Type : ACT_GATHER_INFO
2016-11-21 Name : The remote Fedora host is missing a security update.
File : fedora_2016-d4571bf555.nasl - Type : ACT_GATHER_INFO
2016-11-15 Name : The remote Fedora host is missing a security update.
File : fedora_2016-3eb5a55123.nasl - Type : ACT_GATHER_INFO
2016-11-03 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_cb11665179db4c0993a2c38f9df46724.nasl - Type : ACT_GATHER_INFO
2016-11-02 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-3115-1.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
Date Informations
2016-12-14 21:25:51
  • Multiple Updates
2016-12-14 17:26:05
  • Multiple Updates
2016-12-10 00:25:39
  • Multiple Updates
2016-11-03 13:24:29
  • Multiple Updates
2016-11-01 21:56:36
  • First insertion