On Fri, Nov 04, 2016 at 05:56:32PM +1100, Brian May wrote:
> Ben Hutchings <b...@decadent.org.uk> writes:
>
> > I'm not convinced this even warrants a security advisory.
>
> Same here. So maybe I should just mark it no-dsa? Possibly confirming
> with the security-team first to see if I should also marke Jessie no-dsa
> too.
I put python-django into dla-needed since I think it's affected by two
CVEs
CVE-2016-9013
CVE-2016-9014
both are marked as no-dsa ("Minor issue; can be updated via point
release") by the security team which I think is o.k but we don't have
any point releases in wheezy-lts at the moment so I'm reluctant to do
so when triaging CVEs. I agree that for CVE-2016-9013 the combination of
using oracle plus running
manage.py test --keepdb
plus having cx_oracle (which is not in Debian) on the system is a rare
one so no-dsa is fine in this case (and sorry for not marking it as such
from the beginning). For CVE-2016-9014 see my other mail.
Cheers,
-- Guido
