Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#57338 - [python-django] CVE-2018-6188
Attached to Project:
Arch Linux
Opened by Pascal Ernster (hardfalcon) - Friday, 02 February 2018, 17:48 GMT
Last edited by Angel Velasquez (angvp) - Sunday, 04 February 2018, 18:51 GMT
Opened by Pascal Ernster (hardfalcon) - Friday, 02 February 2018, 17:48 GMT
Last edited by Angel Velasquez (angvp) - Sunday, 04 February 2018, 18:51 GMT
|
DetailsUsually, I wouldn't open a bug report for an outdated package, but in this case, the package in question has not been updated/maintained for half a year (upstream released version 1.11.3 on 2017-07-01), although it has been flagged as outdated already 5 months ago.
python-django and python2-django are currently at version 1.11.2, the current upstream version is 1.11.10, and fixes a CVE: https://docs.djangoproject.com/en/1.11/releases/1.11.10/ Not sure if it belongs into here, but the 1.11 branch of branch is an LTS branch anyway, and the current version of Django would actually be 2.0.2 (but that branch has dropped support for Python 2). In any case, this package should at least be updated to version 1.11.10 to get rid of CVE-2018-6188. |
This task depends upon
Comment by Jelle van der Waa (jelly) -
Saturday, 03 February 2018, 10:04 GMT
Side note, the CVE mentions the bug seems to be introduced in 1.11.8 and our repository version 1.11.2 so should not be affected.
Comment by Angel Velasquez (angvp) -
Sunday, 04 February 2018, 18:51 GMT
Updated to 1.11.10 today