Re: jinja2 update for CVE-2019-10906/CVE-2016-10745

To: Moritz Mühlenhoff <jmm@inutil.org>
Cc: team@security.debian.org, debian-lts@lists.debian.org, piotr@debian.org
Subject: Re: jinja2 update for CVE-2019-10906/CVE-2016-10745
From: Hugo Lefeuvre <hle@debian.org>
Date: Thu, 2 May 2019 17:37:15 +0200
Message-id: <[🔎] 20190502153715.GA1569@behemoth.owl.eu.com.local>
In-reply-to: <20190425211246.GB5859@pisco.westfalen.local>
References: <20190414101404.GA1611@behemoth.owl.eu.com.local> <20190425211246.GB5859@pisco.westfalen.local>

Hi Moritz,

> I've never used that myself either, but reading up on the documentation
> it's so full of caveats that I doubt these are really severe issues. Unless
> someone has credible clams of the contrary I'm inclined to mark these as
> no-dsa for stretch.

Thanks. We'll go for no-dsa in jessie as well.

I see you have marked CVE-2016-10745 no-dsa in stretch but not
CVE-2019-10906.

Fixing CVE-2019-10906 without CVE-2016-10745 does not make much sense to
me, so I assumed it was oversight and marked CVE-2019-10906 no-dsa in
stretch as well.

cheers,
Hugo

-- 
                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: Re: jquery / CVE-2019-11358
Next by Date: Re: jquery / CVE-2019-11358
Previous by thread: Re: jquery / CVE-2019-11358
Next by thread: LTS/ELTS Report for April 2019
Index(es):
- Date
- Thread