Hello Salvatore, On Sat, Dec 14, 2024 at 03:18:16PM +0100, Salvatore Bonaccorso wrote: > Source: djoser > Version: 2.1.0-1 > Severity: grave > Tags: security upstream > Forwarded: https://github.com/sunscrapers/djoser/issues/795 > X-Debbugs-Cc: [email protected], Debian Security Team > <[email protected]> > > Hi, [...] > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2024-21543 > https://www.cve.org/CVERecord?id=CVE-2024-21543 > [1] https://github.com/sunscrapers/djoser/issues/795 > [2] > https://github.com/sunscrapers/djoser/commit/d33c3993c0c735f23cbedc60fa59fce69354f19d
djoser appeared in dla-needed.txt and I figured I could take it on as my first attempt at helping out.... I see that it still needs fixing in both stable (bookworm) and oldstable (bullseye) - which both have the same version. So I figured I'd tackle both. (oldoldstable is not affected.) I've prepared updates in git at: https://salsa.debian.org/python-team/packages/djoser/-/commits/debian/bookworm https://salsa.debian.org/python-team/packages/djoser/-/commits/debian/bullseye According to the lts documentation I've been looking at, next step is to just upload the bullseye update.... however it feels more natural for me to have it fixed in [unstable (& testing)] > stable > oldstable > ... and according to instructions I should get a security team ACK before uploading to bookworm-security, but I haven't been able to find out exctly where to request that ack. Do you think you could give me the ack (or instruct me where to go from here)? If I may also ask: Maybe djoser is not important enough to warrant a bookworm-security upload? (But then, is it important enough for a DLA and if not then why it it in dla-needed.txt?) If I upload one of the uploads to security queue with -sa (orig source included), should the other upload be without full sources or also with? > > Regards, > Salvatore > Regards, Andreas Henriksson
