Moritz Muehlenhoff <j...@debian.org> writes: > Please see https://bugzilla.redhat.com/show_bug.cgi?id=1716286
Hi Moritz, According to https://security-tracker.debian.org/tracker/CVE-2019-10153, the vulnerable code is not present in stretch. However, I don't understand why this does not count: https://salsa.debian.org/ha-team/fence-agents/blob/debian/4.0.25-1/fence/agents/rhevm/fence_rhevm.py#L124 Also, according to http://pycurl.io/docs/latest/unicode.html#unicode the URL conversion to ASCII can fail even when it's implicit, though that probably isn't user controllable, thus may not count. -- Thanks, Feri