backport the security patch of CVE-2024-21506

[Crispy-fried-chicken]

Here is a vulnerability which is mentioned in #1564 and fixed in the v4.6branch 56b6b6d, but is not fixed in the branch of v4.4, maybe it should be backported?

[ShaneHarvey]

Hi @Crispy-fried-chicken, we don't support the v4.4 version anymore. Is there any reason you cannot upgrade to 4.6.3+, 4.7+ or 4.8.0? We follow semantic version so your app should be able to upgrade without issue.

[Crispy-fried-chicken]

Hi, @ShaneHarvey ,Given the complexity of my project, upgrading directly to versions 4.6.3+, 4.7+, or 4.8.0 could potentially cause various supply chain security challenges. Moreover, I know that a significant number of users are still dependent on version v4.4. With this in mind, could you please consider implementing the fix in the v4.4 branch? This would greatly contribute to maintaining security and stability for those continuing to use this version.

[blink1073]

could potentially cause various supply chain security challenges

We only have one direct dependency, dnspython, and it did not change between the two versions. We don't have the infrastructure set up to make a release against this branch.

[blink1073]

Unfortunately we are unable accept this change.