Hi,
[ Impact ]
djoser has a very low popcon, so impact should thus be low.
[ Tests ]
not covered by testsuite.
[ Risks ]
The patch cherry-picked from upstream is a revert to a previous state of
the code (before introducing the breakage which wasn't know to have
security implications).
The risks should thus be very low, since it's not "new" code.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
(except debian/gbp.conf branch name, which I think is changelog
clutter)
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
(via a new upstream release)
[ Changes ]
Revert validation code to previous working code with proper
auth validation.
I was curious to see apt install a new package and I had a quick look.
While debian/control received no modifications, the binary package is
getting new dependencies compared to the version in bookworm:
Before:
Depends: python3-django, python3-djangorestframework (>= 3), python3-asgiref, python3-coreapi, python3-social-django, python3:any
After:
Depends: python3-django, python3-djangorestframework (>= 3), python3-asgiref, python3-coreapi, python3-djangorestframework-simplejwt, python3-importlib-metadata | python3 (>> 3.8), python3-social-django, python3:any
For reference, debian/control has:
Depends:
python3-django,
python3-djangorestframework (>= 3),
${misc:Depends},
${python3:Depends},
and the extra dependencies flow through ${python3:Depends}:
python3:Depends=python3-asgiref, python3-coreapi, python3-djangorestframework-simplejwt, python3-importlib-metadata | python3 (>> 3.8), python3-social-django, python3:any
I thought that's curious enough to leave a note here, just in case
someone else wonders whether that's known and/or expected.
Cheers,
--
Cyril Brulebois (***@debian.org) <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant