Marti Raudsepp discovered that Django incorrectly used a hardcoded password when running tests on an Oracle database. A remote attacker could possibly connect to the database while the tests are running and prevent the test user with the hardcoded password from being removed. (CVE-2016-9013)
Aymeric Augustin discovered that Django incorrectly validated hosts when being run with the debug setting enabled. A remote attacker could possibly use this issue to perform DNS rebinding attacks. (CVE-2016-9014)