On 02/09/2020 12:46, Chris Lamb wrote: > Chris Lamb wrote: >> >>> Don't the new Django vulnerabilities only apply when running with Python >>> 3.7 or >>> newer? >> >> Replying quickly — possibly, have not looked into the (E)LTS angle yet. >> >> I was just ensuring that there was no duplicated effort in the LTS >> team as I am the 'regular' maintainer of Django. Will adjust the >> situation when I return to this, either later today or early >> tomorrow. > > Just to follow up on this on-list. Yes, you are absolutely right that > they require Python 3.7 to be vulnerable. However, I did consider that > people were using virtualenv (or a similar mechanism) to use a newer > version of Python. This is, after all, by far the most common way > people are deploying Python web applications. > > However, I believe it is extremely unlikely that someone is using a > newer version of Python with our Debian-packaged version of Django. > Far more likely is that people using Python 3.7 in LTS or ELTS will be > using an equally old version of Django itself or a newer one... but > they will be obtaining it via a different means (e.g. via > requirements.txt). > > Therefore I will not be updating Django in LTS or ELTS with respect to > CVE-2020-24583 or CVE-2020-24584 and have updated the repositories to > reflect this.
Makes sense, and I fully agree. Cheers, Emilio