[Python-modules-team] Bug#934026: python-django: CVE-2019-14232 CVE-2019-14233 CVE-2019-14234 CVE-2019-14235
Moritz Muehlenhoff
jmm at inutil.org
Thu Aug 8 11:17:30 BST 2019
On Thu, Aug 08, 2019 at 11:02:48AM +0100, Chris Lamb wrote:
> Hi Sébastien,
>
> > > Security team (added to CC), would you be interested in uploads for
> > > buster (currently 1:1.11.22-1~deb10u1) and stretch (currently
> > > 1:1.10.7-2+deb9u5)?
> […]
> > yes, thank you. Can you email us debdiffs ? I'll then take care of the
> > review and DSAs. I've attached these and the testsuites (etc.) are
> all green on my test machines.
>
> Note that the previous changelog entry in buster was:
>
> python-django (1:1.11.22-1~deb10u1) buster-security; urgency=high
>
> * No-change update for buster-security.
> * Update debian/gbp.conf for new debian/buster branch.
>
> -- Chris Lamb <lamby at debian.org> Wed, 03 Jul 2019 15:18:13 -0300
>
> … and that I've tentatively versioned the updated version to address
> these new CVEs as 1:1.11.22-1+deb10u1 (ie. with a plus, not a tilde).
It doesn't really matter as there will be no further 1.11 updates in sid,
so both should be fine.
> I mention it specifically as I'm not 100% confident this is correct
> and Lintian somewhat-correctly complained about a "missing" version
> (to wit, 1:1.11.22-1 its technically missing).
Where does Lintian parse the data about existing releases? How does it
know that 1:1.11.22-1 is missing?
Cheers,
Moritz
More information about the Python-modules-team
mailing list