Hi I think a no-dsa (ignored) would be good in this case.
Ignored because we have been quite detailed in the analysis and the upstream fix causes a regression. // Ola On Thu, 23 Apr 2020 at 23:40, Utkarsh Gupta <[email protected]> wrote: > > Hi Brian, > > On Fri, Apr 24, 2020 at 2:49 AM Brian May <[email protected]> wrote: > > For reference I filled a similar bug against Django > > <https://code.djangoproject.com/ticket/31412#comment:8> and they > > responded with: > > > > > After consideration, the Django Security Team conclude that this is not > > > a practical attack vector. > > > > > > Work on the related hardenings, such as the referenced tickets should > > > continue. > > > > I am inclined to think we do not need to worry about patching old > > releases for this vulnerability for similar reasons. > > Thank you for this. I've started to think on the same lines. > During this weekend, I'll take a quick look over what other > distributions are doing for this. > > And if I don't find something, we could perhaps mark this as "no-dsa"? > I've updated the version (and this is fixed) in unstable/testing. > However, I'll close the bug with the next update after cross-checking > if everything, indeed, is alright. > > Let me know if this seems alright? > > > Best, > Utkarsh > -- --- Inguza Technology AB --- MSc in Information Technology ---- | [email protected] [email protected] | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
