Re: CVE-2019-16935/python*

To: Debian LTS <debian-lts@lists.debian.org>
Subject: Re: CVE-2019-16935/python*
From: Sylvain Beucler <beuc@beuc.net>
Date: Mon, 30 Sep 2019 12:48:16 +0200
Message-id: <[🔎] 926803ff-7b7a-9c88-2624-86c231c77b7e@beuc.net>
In-reply-to: <[🔎] CABY6=0=gmM4Wvu4=m8D0MPr53OqQsUyRqro0iTr6+o5qpif+oQ@mail.gmail.com>
References: <[🔎] CABY6=0=gmM4Wvu4=m8D0MPr53OqQsUyRqro0iTr6+o5qpif+oQ@mail.gmail.com>

Hi,

On 28/09/2019 22:36, Ola Lundqvist wrote:
> I have looked a little into CVE-2019-16935. My conclusion is that the
> package is vulnerable but I could not really judge its severity. I have
> a question though. If we find that we should correct it, shouldn't we
> correct also jython and pypy-lib in that case?
> 
> The problem is in DocXMLRPCServer.py and that file exist also in the
> other two packages. Or should we assume there will be a different CVE
> for those packages?
> 
> https://packages.debian.org/search?searchon=contents&keywords=DocXMLRPCServer.py&mode=exactfilename&suite=oldstable&arch=any  ;

I would reference python and pypy-lib in data/CVE/list, indeed.
Do you want to do that?

As for the severity, from what I read this is a reflected XSS, that is
also hypothetical as this would affect an unknown third-party app making
use of DocXMLRPCServer and setting the server title from untrusted input.
So low IMHO.

Cheers!
Sylvain

Reply to:

Follow-Ups:
- Re: CVE-2019-16935/python*
  - From: Ola Lundqvist <ola@inguza.com>

References:
- CVE-2019-16935
  - From: Ola Lundqvist <ola@inguza.com>

Prev by Date: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity
Next by Date: Training process
Previous by thread: CVE-2019-16935
Next by thread: Re: CVE-2019-16935/python*
Index(es):
- Date
- Thread