Utkarsh Gupta <guptautkarsh2...@gmail.com> writes: > Please don't yet patch CVE-2019-16782 for Buster, Stretch, Jessie, et al. > This security update induces a regression, resulting in some issues in > using the library. > Also, there's a slight possibility of this patch inducing a backdoor on > it's own. > > The issues have already been opened to/with the upstream and I hope > they're looking into it. > P.S. Shall update here when available :)
For reference I filled a similar bug against Django <https://code.djangoproject.com/ticket/31412#comment:8> and they responded with: > After consideration, the Django Security Team conclude that this is not > a practical attack vector. > > Work on the related hardenings, such as the referenced tickets should > continue. I am inclined to think we do not need to worry about patching old releases for this vulnerability for similar reasons. -- Brian May <b...@debian.org>
