Valentin Vidić <vvi...@valentin-vidic.from.hr> writes: > On Mon, Jun 24, 2019 at 02:03:11PM +0200, wf...@niif.hu wrote: > >> According to https://security-tracker.debian.org/tracker/CVE-2019-10153, >> the vulnerable code is not present in stretch. However, I don't >> understand why this does not count: >> >> https://salsa.debian.org/ha-team/fence-agents/blob/debian/4.0.25-1/fence/agents/rhevm/fence_rhevm.py#L124 >> >> Also, according to http://pycurl.io/docs/latest/unicode.html#unicode the >> URL conversion to ASCII can fail even when it's implicit, though that >> probably isn't user controllable, thus may not count. > > I suppose the upstream marked it for 4.3.3
https://bugzilla.redhat.com/show_bug.cgi?id=1716286 is more general, mentioning "fence-agents prior to version 4.3.4" > but we can make a fix for stretch to be on the safe side? I think so, but I may overlook something. Also, I find the switch to UTF-8 decoding a somewhat unsatisfactory fix: is it wise to depend on the result being correctly UTF-8 encoded? If anything goes wrong, an exception is thrown all the same, it depends on the server. It may be desirable, though, I don't know a thing about rhevm. -- Feri