Hi jython and pypy-lib added now. Also marked it as ignored for LTS.
Best regards // Ola On Mon, 30 Sep 2019 at 12:48, Sylvain Beucler <[email protected]> wrote: > Hi, > > On 28/09/2019 22:36, Ola Lundqvist wrote: > > I have looked a little into CVE-2019-16935. My conclusion is that the > > package is vulnerable but I could not really judge its severity. I have > > a question though. If we find that we should correct it, shouldn't we > > correct also jython and pypy-lib in that case? > > > > The problem is in DocXMLRPCServer.py and that file exist also in the > > other two packages. Or should we assume there will be a different CVE > > for those packages? > > > > > https://packages.debian.org/search?searchon=contents&keywords=DocXMLRPCServer.py&mode=exactfilename&suite=oldstable&arch=any > > > I would reference python and pypy-lib in data/CVE/list, indeed. > Do you want to do that? > > As for the severity, from what I read this is a reflected XSS, that is > also hypothetical as this would affect an unknown third-party app making > use of DocXMLRPCServer and setting the server title from untrusted input. > So low IMHO. > > Cheers! > Sylvain > > -- --- Inguza Technology AB --- MSc in Information Technology ---- | [email protected] [email protected] | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
