[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DLA 590-1] python-django security update

Holger Levsen <holger@layer-acht.org> writes:

> ah, CVE-2016-6186! :-) That "magic string" should have been part of your
> announcement and of course thats very easy to say now.

... except CVE-2016-6186 had already been fixed by DLA 555-1 for Django
version 1.4.5-1+deb7u17 - so it seemed pointless referring to a CVE that
had already been fixed.

> /me nods. It's hard(er) to review / improve something which "aint
> there" (yet) or is only posted as a link. I guess I would have
> probably said something if you had posted the full text of this DLA to
> this list, so that one can easily read it in the mail client…

I was considering sending the text here and asking for help. This would
have delayed the DLA by up to 24 hours however, my experience has been
that people get upset fast if the DLA isn't sent immediately.

I think in future I will just delay the DLA anyway.
Brian May <bam@debian.org>

Reply to: