On Mon, Jun 24, 2019 at 02:03:11PM +0200, wf...@niif.hu wrote: > According to https://security-tracker.debian.org/tracker/CVE-2019-10153, > the vulnerable code is not present in stretch. However, I don't > understand why this does not count: > > https://salsa.debian.org/ha-team/fence-agents/blob/debian/4.0.25-1/fence/agents/rhevm/fence_rhevm.py#L124 > > Also, according to http://pycurl.io/docs/latest/unicode.html#unicode the > URL conversion to ASCII can fail even when it's implicit, though that > probably isn't user controllable, thus may not count.
I suppose the upstream marked it for 4.3.3, but we can make a fix for stretch to be on the safe side? -- Valentin
