Hi, On 28/09/2019 22:36, Ola Lundqvist wrote: > I have looked a little into CVE-2019-16935. My conclusion is that the > package is vulnerable but I could not really judge its severity. I have > a question though. If we find that we should correct it, shouldn't we > correct also jython and pypy-lib in that case? > > The problem is in DocXMLRPCServer.py and that file exist also in the > other two packages. Or should we assume there will be a different CVE > for those packages? > > https://packages.debian.org/search?searchon=contents&keywords=DocXMLRPCServer.py&mode=exactfilename&suite=oldstable&arch=any >
I would reference python and pypy-lib in data/CVE/list, indeed. Do you want to do that? As for the severity, from what I read this is a reflected XSS, that is also hypothetical as this would affect an unknown third-party app making use of DocXMLRPCServer and setting the server title from untrusted input. So low IMHO. Cheers! Sylvain