Re: [Git][security-tracker-team/security-tracker][master] 2 commits: data/dla-needed.txt: Triage python-django for stretch LTS.
Chris Lamb wrote:
> > Don't the new Django vulnerabilities only apply when running with Python 3.7 or
> > newer?
> Replying quickly — possibly, have not looked into the (E)LTS angle yet.
> I was just ensuring that there was no duplicated effort in the LTS
> team as I am the 'regular' maintainer of Django. Will adjust the
> situation when I return to this, either later today or early
Just to follow up on this on-list. Yes, you are absolutely right that
they require Python 3.7 to be vulnerable. However, I did consider that
people were using virtualenv (or a similar mechanism) to use a newer
version of Python. This is, after all, by far the most common way
people are deploying Python web applications.
However, I believe it is extremely unlikely that someone is using a
newer version of Python with our Debian-packaged version of Django.
Far more likely is that people using Python 3.7 in LTS or ELTS will be
using an equally old version of Django itself or a newer one... but
they will be obtaining it via a different means (e.g. via
Therefore I will not be updating Django in LTS or ELTS with respect to
CVE-2020-24583 or CVE-2020-24584 and have updated the repositories to
: :' : Chris Lamb
`. `'` firstname.lastname@example.org 🍥 chris-lamb.co.uk