Re: jinja2 update for CVE-2019-10906/CVE-2016-10745
On Sun, Apr 14, 2019 at 12:14:04PM +0200, Hugo Lefeuvre wrote:
> Dear Piotr, security team,
>
> I am currently working on CVE-2019-10906 and CVE-2016-10745, trying to
> decide if preparing an LTS upload for these issues is worth the trouble.
>
> These issues seem to absolutely break the jinja2 sandbox, so if sandboxes
> are really used, then we should definitely fix them.
>
> Otherwise I'd consider marking this no-dsa. Patches are not that small.
> (good point though, there are unit tests)
>
> I have never used jinja2 sanboxes despite being a jinja2 user for quite a
> while, so I have difficulties asserting the severity of these issues.
>
> Piotr, do you have any feedback on this?
>
> Anyways, it only makes sense to me to fix this in Jessie if I also prepare
> a stretch update at the same time.
I've never used that myself either, but reading up on the documentation
it's so full of caveats that I doubt these are really severe issues. Unless
someone has credible clams of the contrary I'm inclined to mark these as
no-dsa for stretch.
Cheers,
Moritz
Reply to: