[Python-modules-team] Bug#962323: python-django: CVE-2020-13254 CVE-2020-13596
Chris Lamb
lamby at debian.org
Tue Jun 9 16:17:55 BST 2020
Hi Sébastien,
> > Security team, would you like an update for stretch and/or buster to
> > address these issues? It's fixed in sid, experimental as well as
> > jessie LTS. Bullseye is just pending migration time AFAICT.
[…]
> yes, that'd be fine. Is there any chance you could also piggyback the
> fix for CVE-2020-9402 (marked "postponed") on top of the ones for
> CVE-2020-13254 and CVE-2020-13596?
Sure. For buster, I recommend we take the latest security upstream
stable release to fix CVE-2020-9402, but for stretch we will need to
backport all three.
However, I just independently discovered a regression in the latest
change for CVE-2020-13254:
https://code.djangoproject.com/ticket/31654#comment:14
I will wait a few days to see what upstream says. I will also have to
re-release for jessie LTS, alas.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby at debian.org 🍥 chris-lamb.co.uk
`-
More information about the Python-modules-team
mailing list