On Tue, Nov 26, 2024 at 12:11:27PM -0300, Marco Benatto wrote: > Hello all, > > We recently noticed there's a couple of PRs opened to fix > vulnerabilities in EPEL8 python-django3 with no response from the > maintainer (CC'ed). This is an important update as it fixes 4 > different CVEs. > > https://src.fedoraproject.org/rpms/python-django3/pull-request/2 > > I have raised a bugzilla bug asking for contact according > https://docs.fedoraproject.org/en-US/fesco/Policy_for_nonresponsive_package_maintainers/ > > https://bugzilla.redhat.com/show_bug.cgi?id=2328973 > > may i please have your help in contacting the maintainer? > That PR was never in a state where it's merge-able, FYI - nothing provides python3.6dist(asgiref) >= 3.3.2 needed by python3-django3-3.2.25-1.el8.noarch from @commandline There are also other avenues to ask for help - note that this package is co-maintained by the EPEL Packagers SIG, and I don't see any attempt to reach out on the epel-devel list. While I have the attention from someone on prod sec, could you all fix your CVE scanners to *not* file Javascript bugs against packages that have JS code in their source code only as part of documentation and not in any binary packages? 90% of CVEs in my inbox are false positives -- _o) Michel Lind _( ) identities: https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2
Attachment:
signature.asc
Description: PGP signature
-- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue