Re: jinja2 update for CVE-2019-10906/CVE-2016-10745

To: Hugo Lefeuvre <hle@debian.org>
Cc: team@security.debian.org, debian-lts@lists.debian.org, piotr@debian.org
Subject: Re: jinja2 update for CVE-2019-10906/CVE-2016-10745
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Thu, 25 Apr 2019 23:12:46 +0200
Message-id: <[🔎] 20190425211246.GB5859@pisco.westfalen.local>
In-reply-to: <[🔎] 20190414101404.GA1611@behemoth.owl.eu.com.local>
References: <[🔎] 20190414101404.GA1611@behemoth.owl.eu.com.local>

On Sun, Apr 14, 2019 at 12:14:04PM +0200, Hugo Lefeuvre wrote:
> Dear Piotr, security team,
> 
> I am currently working on CVE-2019-10906 and CVE-2016-10745, trying to
> decide if preparing an LTS upload for these issues is worth the trouble.
> 
> These issues seem to absolutely break the jinja2 sandbox, so if sandboxes
> are really used, then we should definitely fix them.
> 
> Otherwise I'd consider marking this no-dsa. Patches are not that small.
> (good point though, there are unit tests)
> 
> I have never used jinja2 sanboxes despite being a jinja2 user for quite a
> while, so I have difficulties asserting the severity of these issues.
> 
> Piotr, do you have any feedback on this?
> 
> Anyways, it only makes sense to me to fix this in Jessie if I also prepare
> a stretch update at the same time.

I've never used that myself either, but reading up on the documentation
it's so full of caveats that I doubt these are really severe issues. Unless
someone has credible clams of the contrary I'm inclined to mark these as
no-dsa for stretch.

Cheers,
        Moritz

Reply to:

References:
- jinja2 update for CVE-2019-10906/CVE-2016-10745
  - From: Hugo Lefeuvre <hle@debian.org>

Prev by Date: Bug#927953: systemd: user and group files ignored in tmpfiles.d files
Next by Date: Re: [SECURITY] [DLA 1762-1] systemd security update
Previous by thread: jinja2 update for CVE-2019-10906/CVE-2016-10745
Next by thread: Wheezy ELTS?
Index(es):
- Date
- Thread