[Debian-ha-maintainers] Bug#930887: Bug#930887: Bug#930887: CVE-2019-10153
Valentin Vidić
vvidic at valentin-vidic.from.hr
Mon Jun 24 19:59:21 BST 2019
On Mon, Jun 24, 2019 at 02:03:11PM +0200, wferi at niif.hu wrote:
> According to https://security-tracker.debian.org/tracker/CVE-2019-10153,
> the vulnerable code is not present in stretch. However, I don't
> understand why this does not count:
>
> https://salsa.debian.org/ha-team/fence-agents/blob/debian/4.0.25-1/fence/agents/rhevm/fence_rhevm.py#L124
>
> Also, according to http://pycurl.io/docs/latest/unicode.html#unicode the
> URL conversion to ASCII can fail even when it's implicit, though that
> probably isn't user controllable, thus may not count.
I suppose the upstream marked it for 4.3.3, but we can make a fix for stretch
to be on the safe side?
--
Valentin
More information about the Debian-ha-maintainers
mailing list