Chris Lamb wrote:
>
> > Don't the new Django vulnerabilities only apply when running with Python
> > 3.7 or
> > newer?
>
> Replying quickly — possibly, have not looked into the (E)LTS angle yet.
>
> I was just ensuring that there was no duplicated effort in the LTS
> team as I am the 'regular' maintainer of Django. Will adjust the
> situation when I return to this, either later today or early
> tomorrow.
Just to follow up on this on-list. Yes, you are absolutely right that
they require Python 3.7 to be vulnerable. However, I did consider that
people were using virtualenv (or a similar mechanism) to use a newer
version of Python. This is, after all, by far the most common way
people are deploying Python web applications.
However, I believe it is extremely unlikely that someone is using a
newer version of Python with our Debian-packaged version of Django.
Far more likely is that people using Python 3.7 in LTS or ELTS will be
using an equally old version of Django itself or a newer one... but
they will be obtaining it via a different means (e.g. via
requirements.txt).
Therefore I will not be updating Django in LTS or ELTS with respect to
CVE-2020-24583 or CVE-2020-24584 and have updated the repositories to
reflect this.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` la...@debian.org 🍥 chris-lamb.co.uk
`-
