[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2016-9013 / django-python

On Fri, Nov 04, 2016 at 05:56:32PM +1100, Brian May wrote:
> Ben Hutchings <ben@decadent.org.uk> writes:
> 
> > I'm not convinced this even warrants a security advisory.
> 
> Same here. So maybe I should just mark it no-dsa? Possibly confirming
> with the security-team first to see if I should also marke Jessie no-dsa
> too.

I put python-django into dla-needed since I think it's affected by two
CVEs

    CVE-2016-9013
    CVE-2016-9014
      
both are marked as no-dsa ("Minor issue; can be updated via point
release") by the security team which I think is o.k but we don't have
any point releases in wheezy-lts at the moment so I'm reluctant to do
so when triaging CVEs. I agree that for CVE-2016-9013 the combination of
using oracle plus running

    manage.py test --keepdb

plus having cx_oracle (which is not in Debian) on the system is a rare
one so no-dsa is fine in this case (and sorry for not marking it as such
from the beginning). For CVE-2016-9014 see my other mail.
Cheers,
 -- Guido
Reply to: