On Fri, 04 Nov 2016, Chris Lamb wrote: > Guido Günther wrote: > > > Isn't this also affected by a rebinding attack since we allow any host > > in debug mode? > > If it helps, speaking as a regular Django developer, if you've got > ``settings.DEBUG`` enabled in production you have much bigger problems > than a rebinding attack…
The whole case of this CVE is not about using settings.DEBUG in production but about a possible cross-site scripting attack targetting a Django developer who might have a Django application running locally in DEBUG mode (and which might be configured to hit a remote database). So I tend to agree with Guido, I would suspect that this CVE affects Wheezy too and we need a clear explanation of why that would not be the case. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/
