[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

jinja2 update for CVE-2019-10906/CVE-2016-10745

Dear Piotr, security team,

I am currently working on CVE-2019-10906 and CVE-2016-10745, trying to
decide if preparing an LTS upload for these issues is worth the trouble.

These issues seem to absolutely break the jinja2 sandbox, so if sandboxes
are really used, then we should definitely fix them.

Otherwise I'd consider marking this no-dsa. Patches are not that small.
(good point though, there are unit tests)

I have never used jinja2 sanboxes despite being a jinja2 user for quite a
while, so I have difficulties asserting the severity of these issues.

Piotr, do you have any feedback on this?

Anyways, it only makes sense to me to fix this in Jessie if I also prepare
a stretch update at the same time.


                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

Attachment: signature.asc
Description: PGP signature

Reply to: