On Sun, Apr 14, 2019 at 12:14:04PM +0200, Hugo Lefeuvre wrote: > Dear Piotr, security team, > > I am currently working on CVE-2019-10906 and CVE-2016-10745, trying to > decide if preparing an LTS upload for these issues is worth the trouble. > > These issues seem to absolutely break the jinja2 sandbox, so if sandboxes > are really used, then we should definitely fix them. > > Otherwise I'd consider marking this no-dsa. Patches are not that small. > (good point though, there are unit tests) > > I have never used jinja2 sanboxes despite being a jinja2 user for quite a > while, so I have difficulties asserting the severity of these issues. > > Piotr, do you have any feedback on this? > > Anyways, it only makes sense to me to fix this in Jessie if I also prepare > a stretch update at the same time.
I've never used that myself either, but reading up on the documentation it's so full of caveats that I doubt these are really severe issues. Unless someone has credible clams of the contrary I'm inclined to mark these as no-dsa for stretch. Cheers, Moritz