Moritz Muehlenhoff <j...@debian.org> writes:

> Please see https://bugzilla.redhat.com/show_bug.cgi?id=1716286

Hi Moritz,

According to https://security-tracker.debian.org/tracker/CVE-2019-10153,
the vulnerable code is not present in stretch.  However, I don't
understand why this does not count:

https://salsa.debian.org/ha-team/fence-agents/blob/debian/4.0.25-1/fence/agents/rhevm/fence_rhevm.py#L124

Also, according to http://pycurl.io/docs/latest/unicode.html#unicode the
URL conversion to ASCII can fail even when it's implicit, though that
probably isn't user controllable, thus may not count.
-- 
Thanks,
Feri

Reply via email to