Re: [Git][security-tracker-team/security-tracker][master] 2 commits: data/dla-needed.txt: Triage python-django for stretch LTS.

To: "Emilio Pozuelo Monfort" <pochu@debian.org>, "Debian LTS" <debian-lts@lists.debian.org>
Subject: Re: [Git][security-tracker-team/security-tracker][master] 2 commits: data/dla-needed.txt: Triage python-django for stretch LTS.
From: "Chris Lamb" <lamby@debian.org>
Date: Wed, 02 Sep 2020 11:46:12 +0100
Message-id: <[🔎] 1a5f23f0-a4be-4e8f-8ea2-b30bc6f93496@www.fastmail.com>
In-reply-to: <[🔎] 8e4d3747-de58-48e0-b2e9-4a9b23d37647@www.fastmail.com>
References: <5f4e2ca03a1be_502b2ae44abaa2443314c0@godard.mail> <[🔎] c4272b62-c524-4c6b-c8d8-e3cc25c2a1f6@debian.org> <[🔎] 8e4d3747-de58-48e0-b2e9-4a9b23d37647@www.fastmail.com>

Chris Lamb wrote:
>
> > Don't the new Django vulnerabilities only apply when running with Python 3.7 or
> > newer?
>
> Replying quickly — possibly, have not looked into the (E)LTS angle yet.
>
> I was just ensuring that there was no duplicated effort in the LTS
> team as I am the 'regular' maintainer of Django. Will adjust the
> situation when I return to this, either later today or early
> tomorrow.

Just to follow up on this on-list. Yes, you are absolutely right that
they require Python 3.7 to be vulnerable. However, I did consider that
people were using virtualenv (or a similar mechanism) to use a newer
version of Python. This is, after all, by far the most common way
people are deploying Python web applications.

However, I believe it is extremely unlikely that someone is using a
newer version of Python with our Debian-packaged version of Django.
Far more likely is that people using Python 3.7 in LTS or ELTS will be
using an equally old version of Django itself or a newer one... but
they will be obtaining it via a different means (e.g. via
requirements.txt).

Therefore I will not be updating Django in LTS or ELTS with respect to
CVE-2020-24583 or CVE-2020-24584 and have updated the repositories to
reflect this.

Regards,

--
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org 🍥 chris-lamb.co.uk
       `-

Reply to:

Follow-Ups:
- Re: [Git][security-tracker-team/security-tracker][master] 2 commits: data/dla-needed.txt: Triage python-django for stretch LTS.
  - From: Emilio Pozuelo Monfort <pochu@debian.org>

References:
- Re: [Git][security-tracker-team/security-tracker][master] 2 commits: data/dla-needed.txt: Triage python-django for stretch LTS.
  - From: Emilio Pozuelo Monfort <pochu@debian.org>
- Re: [Git][security-tracker-team/security-tracker][master] 2 commits: data/dla-needed.txt: Triage python-django for stretch LTS.
  - From: "Chris Lamb" <lamby@debian.org>

Prev by Date: Re: golang-go.crypto / CVE-2019-11841
Next by Date: Re: [Git][security-tracker-team/security-tracker][master] 2 commits: data/dla-needed.txt: Triage python-django for stretch LTS.
Previous by thread: Re: [Git][security-tracker-team/security-tracker][master] 2 commits: data/dla-needed.txt: Triage python-django for stretch LTS.
Next by thread: Re: [Git][security-tracker-team/security-tracker][master] 2 commits: data/dla-needed.txt: Triage python-django for stretch LTS.
Index(es):
- Date
- Thread