[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Git][security-tracker-team/security-tracker][master] 2 commits: data/dla-needed.txt: Triage python-django for stretch LTS.

Chris Lamb wrote:
> > Don't the new Django vulnerabilities only apply when running with Python 3.7 or
> > newer?
> Replying quickly — possibly, have not looked into the (E)LTS angle yet.
> I was just ensuring that there was no duplicated effort in the LTS
> team as I am the 'regular' maintainer of Django. Will adjust the
> situation when I return to this, either later today or early
> tomorrow.

Just to follow up on this on-list. Yes, you are absolutely right that
they require Python 3.7 to be vulnerable. However, I did consider that
people were using virtualenv (or a similar mechanism) to use a newer
version of Python. This is, after all, by far the most common way
people are deploying Python web applications.

However, I believe it is extremely unlikely that someone is using a
newer version of Python with our Debian-packaged version of Django.
Far more likely is that people using Python 3.7 in LTS or ELTS will be
using an equally old version of Django itself or a newer one... but
they will be obtaining it via a different means (e.g. via

Therefore I will not be updating Django in LTS or ELTS with respect to
CVE-2020-24583 or CVE-2020-24584 and have updated the repositories to
reflect this.


     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org 🍥 chris-lamb.co.uk

Reply to: