I reviewed python-django-gravatar2 version 1.4.2-3 as checked into
disco. This should not be considered a full security audit, but rather a
quick gauge of maintainability.
- There are no prior CVEs against the package
- Build depends:
debhelper (>= 11),
dh-python,
python-all,
python-setuptools,
python3-all,
python3-setuptools
- does not daemonize
- no initscripts
- no dbus services
- no setuid files
- no sudo fragments
- no udev rules
- does not fork
- Test suite performs thorough testing. Some tests rely on internet
access. These tests are NOT run during build.
- no cronjobs
- no logging (not applicable)
- This project has had no activity in the past 1.5 years.
- does not use WebKit
- does not use PolicyKit
- does not use Javascript
- no memory management concerns
The URL returned by gravatar_url() is escaped, whereas the URL returned
in gravatar_profile_url() is not. A pull request has been submitted
upstream to rectify this.
https://github.com/twaddington/django-gravatar/pull/29
Some functions are capable of raising exceptions but provide no
documentation or indication to the user that exceptions may be raised.
Exceptions should be caught by django and transformed into HTTP 500
errors, so no there is theoretically no harm.
ACK from the security team for promoting to main
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1820216
Title:
[MIR] python-django-gravatar2 as dependency of mailman3
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-django-gravatar2/+bug/1820216/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
