Re: [Git][security-tracker-team/security-tracker][master] 2 commits: data/dla-needed.txt: Triage python-django for stretch LTS.
On 02/09/2020 12:46, Chris Lamb wrote:
> Chris Lamb wrote:
>>
>>> Don't the new Django vulnerabilities only apply when running with Python 3.7 or
>>> newer?
>>
>> Replying quickly — possibly, have not looked into the (E)LTS angle yet.
>>
>> I was just ensuring that there was no duplicated effort in the LTS
>> team as I am the 'regular' maintainer of Django. Will adjust the
>> situation when I return to this, either later today or early
>> tomorrow.
>
> Just to follow up on this on-list. Yes, you are absolutely right that
> they require Python 3.7 to be vulnerable. However, I did consider that
> people were using virtualenv (or a similar mechanism) to use a newer
> version of Python. This is, after all, by far the most common way
> people are deploying Python web applications.
>
> However, I believe it is extremely unlikely that someone is using a
> newer version of Python with our Debian-packaged version of Django.
> Far more likely is that people using Python 3.7 in LTS or ELTS will be
> using an equally old version of Django itself or a newer one... but
> they will be obtaining it via a different means (e.g. via
> requirements.txt).
>
> Therefore I will not be updating Django in LTS or ELTS with respect to
> CVE-2020-24583 or CVE-2020-24584 and have updated the repositories to
> reflect this.
Makes sense, and I fully agree.
Cheers,
Emilio
Reply to: