Bug 1389414 (CVE-2016-9013)

Summary: CVE-2016-9013 python-django: user with hardcoded password created when running tests on Oracle
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apevec, ayoung, bkearney, cbillett, chrisw, cvsbot-xmlrpc, hvyas, jschluet, kbasil, lhh, lpeer, markmc, mrunge, nthomas, rbryant, sankarshan, sclewis, security-response-team, sisharma, srevivo, tdecacqu, tomckay
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Django 1.10.3, Django 1.9.11, Django 1.8.16 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:01:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1390684, 1390685, 1390687    
Bug Blocks: 1389419    
Attachments:
Description Flags
oracle-1.10.x.diff
none
oracle-1.8.x.diff
none
oracle-1.9.x.diff
none
oracle-master.diff none

Description Martin Prpič 2016-10-27 14:26:24 UTC 
The following flaw was reported in Django:

When running tests with an Oracle database, Django creates a temporary database user. In older versions, if a password isn't manually specified in the database settings 'TEST' dictionary, a hardcoded password is used. This could allow an attacker with network access to the database server to connect.

This user is usually dropped after the test suite completes, but not when using the 'manage.py test --keepdb' option or if the user has an active session (such as an attacker's connection).

A randomly generated password is now used for each test run.
Comment 1 Martin Prpič 2016-10-27 14:26:42 UTC 
Acknowledgments:

Name: the Django project
Comment 2 Martin Prpič 2016-10-27 14:35:28 UTC 
Created attachment 1214631 [details]
oracle-1.10.x.diff
Comment 3 Martin Prpič 2016-10-27 14:35:35 UTC 
Created attachment 1214632 [details]
oracle-1.8.x.diff
Comment 4 Martin Prpič 2016-10-27 14:35:42 UTC 
Created attachment 1214633 [details]
oracle-1.9.x.diff
Comment 5 Martin Prpič 2016-10-27 14:35:51 UTC 
Created attachment 1214634 [details]
oracle-master.diff
Comment 6 Andrej Nemec 2016-11-01 16:32:22 UTC 
Public via:

https://www.djangoproject.com/weblog/2016/nov/01/security-releases/
Comment 7 Andrej Nemec 2016-11-01 16:35:57 UTC 
Created Django14 tracking bugs for this issue:

Affects: epel-6 [bug 1390685]
Comment 8 Andrej Nemec 2016-11-01 16:36:10 UTC 
Created python-django tracking bugs for this issue:

Affects: fedora-all [bug 1390684]
Comment 9 Andrej Nemec 2016-11-01 16:37:29 UTC 
Created python-django tracking bugs for this issue:

Affects: epel-7 [bug 1390687]