Valentin Vidić writes:
> On Mon, Jun 24, 2019 at 02:03:11PM +0200, wf...@niif.hu wrote:
>
>> According to https://security-tracker.debian.org/tracker/CVE-2019-10153,
>> the vulnerable code is not present in stretch. However, I don't
>> understand why this does not count:
>>
>> https://salsa.debian.org/ha-team/fence-agents/blob/debian/4.0.25-1/fence/agents/rhevm/fence_rhevm.py#L124
>>
>> Also, according to http://pycurl.io/docs/latest/unicode.html#unicode the
>> URL conversion to ASCII can fail even when it's implicit, though that
>> probably isn't user controllable, thus may not count.
>
> I suppose the upstream marked it for 4.3.3
https://bugzilla.redhat.com/show_bug.cgi?id=1716286 is more general,
mentioning "fence-agents prior to version 4.3.4"
> but we can make a fix for stretch to be on the safe side?
I think so, but I may overlook something. Also, I find the switch to
UTF-8 decoding a somewhat unsatisfactory fix: is it wise to depend on
the result being correctly UTF-8 encoded? If anything goes wrong, an
exception is thrown all the same, it depends on the server. It may be
desirable, though, I don't know a thing about rhevm.
--
Feri
