[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DLA 590-1] python-django security update


On Tue, Aug 09, 2016 at 06:38:46PM +1000, Brian May wrote:
> Package        : python-django
> Version        : 1.4.22-1
> The release team recently approved rebasing jessie on latest
> python-django 1.7.x (see #807654). For similiar reasons, it makes sense
> to rebase wheezy on latest 1.4.x, especially since 1.4.x is an LTS
> version.
> Django 1.4.22-1 has been uploaded to wheezy-security to address this.

to address what exactly?

#807654 is a long bug explaining the django-python release process, but
not really why an update was done. 

https://www.debian.org/security/2016/dsa-3622 says django-python 1.7 is
prone to a cross-site scripting vulnerability in the admin's add/change
related popup - is this the issue this DLA is addressing?

IMO a DLA should always explain why an update was done, at least
very briefly. More pointers are good, but just a numeric pointer alone
is a bit too little.

(And, unrelated, the stable update had a +deb8u5 version, I think a
+deb7uX version would been appropriate here as well.)


Attachment: signature.asc
Description: Digital signature

Reply to: