Re: [Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] add python2.6, 2.7 and claim 2.7
On Wednesday 07 February 2018 12:54 PM, Brian May wrote:
> I see you have claimed Python2.7 but not Python2.6, which both have the
> same vulnerability. CVE-2018-1000030
> Upstream have decided that this is not a security issue, and it has been
> marked no-DSA in Jessie and Stretch. https://bugs.python.org/issue31530
> Do you have any objections to marking python2.6 and python2.7 as no-DSA
> in wheezy too?
No, I don't have any objection. :)
I tried to reproduce this CVE with the given POC from upstream bug
report. But 8 out of 10 I didn't see any. As security team already
marked it as no-dsa we can do the same.