severity 407521 important thanks On Fri, 19 Jan 2007, Marc Fargas wrote: > severity critical > tags +patch > thanks > > The current Django versión in Debian has a security hole, so this bug > should be critical, and the patch recommended by the submitter should be > applied and brought to etch, I think.
Same story than before. Nobody has explained under which circumstances this bug constitutes a security risk. And you're inflating the severity without proper justification. The upstream ticket http://code.djangoproject.com/ticket/2702 doesn't mention the possible security risk. James has mentionned the problem to be that one could be granted rights that have been granted to a previous HTTP request. If such a behaviour was happening all the time, I bet it would be a very important bug... but since I see no mention of that in the upstream ticket, I believe it probably happens seldom. Has there been discussion of this problem somewhere else ? Can you tell us under which circumstances this can happen ? In the mean time, I'm downgrading. Depending on the answer to the question above, I may agree to change it back to serious. Opinions are welcome of course. Regards, -- Raphaël Hertzog Premier livre français sur Debian GNU/Linux : http://www.ouaza.com/livre/admin-debian/
