Hi Brian, On Fri, Apr 24, 2020 at 2:49 AM Brian May <[email protected]> wrote: > For reference I filled a similar bug against Django > <https://code.djangoproject.com/ticket/31412#comment:8> and they > responded with: > > > After consideration, the Django Security Team conclude that this is not > > a practical attack vector. > > > > Work on the related hardenings, such as the referenced tickets should > > continue. > > I am inclined to think we do not need to worry about patching old > releases for this vulnerability for similar reasons.
Thank you for this. I've started to think on the same lines. During this weekend, I'll take a quick look over what other distributions are doing for this. And if I don't find something, we could perhaps mark this as "no-dsa"? I've updated the version (and this is fixed) in unstable/testing. However, I'll close the bug with the next update after cross-checking if everything, indeed, is alright. Let me know if this seems alright? Best, Utkarsh
