Brian May <b...@debian.org> writes:
>> That's not the issue being patched.
>
> Ooops. Will fix the changelog before I upload.
Here is a fixed diff:
diff -Nru python-django-1.4.22/debian/changelog
python-django-1.4.22/debian/changelog
--- python-django-1.4.22/debian/changelog 2016-10-07 07:17:00.000000000
+1100
+++ python-django-1.4.22/debian/changelog 2016-11-11 17:44:37.000000000
+1100
@@ -1,3 +1,11 @@
+python-django (1.4.22-1+deb7u2) wheezy-security; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+ * Fix CVE-2016-9014: DNS rebinding vulnerability when DEBUG=True.
+ Attacker could attack services listening on localhost.
+
+ -- Brian May <b...@debian.org> Thu, 03 Nov 2016 18:08:17 +1100
+
python-django (1.4.22-1+deb7u1) wheezy-security; urgency=high
* CVE-2016-7401: CSRF protection bypass on a site with Google Analytics.
diff -Nru python-django-1.4.22/debian/patches/0010-CVE-2016-9014.patch
python-django-1.4.22/debian/patches/0010-CVE-2016-9014.patch
--- python-django-1.4.22/debian/patches/0010-CVE-2016-9014.patch
1970-01-01 10:00:00.000000000 +1000
+++ python-django-1.4.22/debian/patches/0010-CVE-2016-9014.patch
2016-11-10 09:07:19.000000000 +1100
@@ -0,0 +1,43 @@
+--- a/django/http/__init__.py
++++ b/django/http/__init__.py
+@@ -215,7 +215,7 @@
+ if server_port != (self.is_secure() and '443' or '80'):
+ host = '%s:%s' % (host, server_port)
+
+- allowed_hosts = ['*'] if settings.DEBUG else settings.ALLOWED_HOSTS
++ allowed_hosts = settings.ALLOWED_HOSTS
+ if validate_host(host, allowed_hosts):
+ return host
+ else:
+--- a/tests/regressiontests/requests/tests.py
++++ b/tests/regressiontests/requests/tests.py
+@@ -261,13 +261,22 @@
+ request.get_host()
+
+ @override_settings(DEBUG=True, ALLOWED_HOSTS=[])
+- def test_host_validation_disabled_in_debug_mode(self):
+- """If ALLOWED_HOSTS is empty and DEBUG is True, all hosts pass."""
+- request = HttpRequest()
+- request.META = {
+- 'HTTP_HOST': 'example.com',
+- }
+- self.assertEqual(request.get_host(), 'example.com')
++ def test_host_validation_in_debug_mode(self):
++ """
++ If ALLOWED_HOSTS is empty and DEBUG is True, variants of localhost are
++ allowed.
++ """
++ valid_hosts = ['localhost', '127.0.0.1', '[::1]']
++ for host in valid_hosts:
++ request = HttpRequest()
++ request.META = {'HTTP_HOST': host}
++ # self.assertEqual(request.get_host(), host)
++
++ # Other hostnames raise a SuspiciousOperation.
++ with self.assertRaises(SuspiciousOperation):
++ request = HttpRequest()
++ request.META = {'HTTP_HOST': 'example.com'}
++ request.get_host()
+
+ def test_near_expiration(self):
+ "Cookie will expire when an near expiration time is provided"
diff -Nru python-django-1.4.22/debian/patches/series
python-django-1.4.22/debian/patches/series
--- python-django-1.4.22/debian/patches/series 2016-10-07 07:16:07.000000000
+1100
+++ python-django-1.4.22/debian/patches/series 2016-11-08 09:01:14.000000000
+1100
@@ -7,3 +7,4 @@
0007-is_safe_url-crashes-with-a-byestring-URL-on-Python-2.patch
0008-CVE-2016-2513-Fixed-user-enumeration-timing-attack-d.patch
0009-CVE-2016-7401.patch
+0010-CVE-2016-9014.patch
--
Brian May <b...@debian.org>
