[Python-modules-team] Bug#934026: python-django: CVE-2019-14232 CVE-2019-14233 CVE-2019-14234 CVE-2019-14235
Moritz Mühlenhoff
jmm at inutil.org
Tue Sep 3 07:53:43 BST 2019
On Mon, Sep 02, 2019 at 10:36:58PM +0200, Salvatore Bonaccorso wrote:
> Hi Chris,
>
> On Mon, Sep 02, 2019 at 02:07:55PM +0100, Chris Lamb wrote:
> > Chris Lamb wrote:
> >
> > > > > +python-django (1:1.11.23-1~deb10u1) buster-security; urgency=high
> > > >
> > > > Thanks, these both look good; please upload to security-master.
> > >
> > > Both uploaded to security-master.
> >
> > There is now a 1.11.24 (ie. 1:1.11.24-1~deb10u1) upstream:
> >
> > https://docs.djangoproject.com/en/2.2/releases/1.11.24/
> >
> > Shall I go ahead and upload or was .23 already accepted?
>
> Looking at the above change, following the upstream ticket at
> https://code.djangoproject.com/ticket/30672 this does not look like
> this is neither a real new regression nor a very exposed
> functionality (the upstream issue speaks of a undocumented and
> untested usage).
>
> Thus (if this is true), this does not really warrant another upload,
> but rather will automatically be fixed in a subsequent (and likely
> arising) update anyway.
Agreed, I'm pretty sure this wasn't the last Django DSA ever :-)
Cheers,
Moritz
More information about the Python-modules-team
mailing list