On 28/09/2019 22:36, Ola Lundqvist wrote:
> I have looked a little into CVE-2019-16935. My conclusion is that the
> package is vulnerable but I could not really judge its severity. I have
> a question though. If we find that we should correct it, shouldn't we
> correct also jython and pypy-lib in that case?
> The problem is in DocXMLRPCServer.py and that file exist also in the
> other two packages. Or should we assume there will be a different CVE
> for those packages?
> https://packages.debian.org/search?searchon=contents&keywords=DocXMLRPCServer.py&mode=exactfilename&suite=oldstable&arch=any ;
I would reference python and pypy-lib in data/CVE/list, indeed.
Do you want to do that?
As for the severity, from what I read this is a reflected XSS, that is
also hypothetical as this would affect an unknown third-party app making
use of DocXMLRPCServer and setting the server title from untrusted input.
So low IMHO.