[Python-modules-team] Bug#943509: python-django: FTBFS due to failed tests: failures=7, skipped=891, expected failures=4

László Böszörményi (GCS) gcs at debian.org
Sun Dec 29 16:14:06 GMT 2019 

Hi Paul, Chris,

On Sun, Dec 29, 2019 at 4:27 PM Chris Lamb <lamby at debian.org> wrote:

> > @python-django maintainers what does this mean for the functionality of
> > python-django in bullseye? Is it "only" the test that fails and can that
> > thus be temporarily disabled?
>
> I would be amenable to disabling the test in python-django if a
> response or fix in sqlite3 is not forthcoming within a few days.
>
 It's a complex situation. SQLite3 upstream recently got fuzzing their
Fossil (source code management tool like Git) tree. Several vulnerabilities
are found - while upstream say these are only an issue if you allow
unauthenticated users enter free form SQL queries against your database.
That means only one possible application, the Chromium browser via WebSQL.
Indeed, a group of security  researchers found a way to exploit a remote
code execution in it, called Magellan 2.0 [1]. It was patched meanwhile and
at least Sid is not affected anymore.
While upstream is quick to fix these reported security problems, there were
introduced an other at least once. This is true for other fixes as well,
they broke something else then. Maybe this is the reason why 3.31.0 (the
next stable SQLite3 release) was first scheduled to 31st of December, this
year but it was delayed with a whole month [2] later. Of course I can
package the current Fossil tree, I'm not sure how it would work in many
scenarios. The upstream testing tools and cases are not open source thus I
can't test it. :-/
As I read, I should do the packaging nevertheless or Chris, may you solve
it with disabled tests?

Regards,
Laszlo/GCS
[1] https://blade.tencent.com/magellan2/index_en.html
[2] https://sqlite.org/draft/releaselog/3_31_0.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/python-modules-team/attachments/20191229/904c2515/attachment.html>

More information about the Python-modules-team mailing list