CCing the Security Team as well On Fri, Jun 21, 2019 at 01:15:23PM +0200, Piotr Ożarowski wrote: > Hi Andreas, > > > > Please see https://bugzilla.redhat.com/show_bug.cgi?id=1718212 > > > > > > Patch is at > > > https://gist.github.com/dhondta/f71ae7e5c4234f8edfd2f12503a5dcc7 > > > > I know you are usually pretty quick in solving serious issues. I tried > > to check the issue and think the link provided for a patch is just > > pointing to a proof of concept exploit. When reading the discussion > > here > > > > https://github.com/davidhalter/parso/issues/75 > > > > I understand that it is not fixed but the authors do not consider the > > issue serious. Could you please give some comment from an insiders > > point of view (which I'm not). I'm just caring since several Debian > > Science dependencies are about to be removed from testing due to this > > bug. > > I don't consider it that serious as well. I'll wait for upstream to > provide a proper fix. If there will be no such fix in time, I guess I can > just disable cache if security team insists. >
So upstream closed the issue marked at the forwarded URL for this bug, saying they'll address it with documentation. I hope that more documentation is forthcoming, because a quick search only found this commit: https://github.com/davidhalter/parso/commit/19de3eb5ca1ae9e7994f8d72f83328d83538fd16 Dear Security Team, does that seem like it's sufficient? Cheers, Nicholas
signature.asc
Description: PGP signature