[Debian-ha-maintainers] Bug#930887: Bug#930887: CVE-2019-10153
wferi at niif.hu
wferi at niif.hu
Mon Jun 24 13:03:11 BST 2019
Moritz Muehlenhoff <jmm at debian.org> writes:
> Please see https://bugzilla.redhat.com/show_bug.cgi?id=1716286
Hi Moritz,
According to https://security-tracker.debian.org/tracker/CVE-2019-10153,
the vulnerable code is not present in stretch. However, I don't
understand why this does not count:
https://salsa.debian.org/ha-team/fence-agents/blob/debian/4.0.25-1/fence/agents/rhevm/fence_rhevm.py#L124
Also, according to http://pycurl.io/docs/latest/unicode.html#unicode the
URL conversion to ASCII can fail even when it's implicit, though that
probably isn't user controllable, thus may not count.
--
Thanks,
Feri
More information about the Debian-ha-maintainers
mailing list