Hi Sébastien, > > Security team, would you like an update for stretch and/or buster to > > address these issues? It's fixed in sid, experimental as well as > > jessie LTS. Bullseye is just pending migration time AFAICT. […] > yes, that'd be fine. Is there any chance you could also piggyback the > fix for CVE-2020-9402 (marked "postponed") on top of the ones for > CVE-2020-13254 and CVE-2020-13596?
Sure. For buster, I recommend we take the latest security upstream stable release to fix CVE-2020-9402, but for stretch we will need to backport all three. However, I just independently discovered a regression in the latest change for CVE-2020-13254: https://code.djangoproject.com/ticket/31654#comment:14 I will wait a few days to see what upstream says. I will also have to re-release for jessie LTS, alas. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-