Re: imagemagick

To: debian-lts@lists.debian.org
Subject: Re: imagemagick
From: Thorsten Alteholz <alteholz@debian.org>
Date: Wed, 27 Jan 2016 20:26:27 +0100 (CET)
Message-id: <[🔎] alpine.DEB.2.02.1601272005270.15490@jupiter.server.alteholz.net>
In-reply-to: <[🔎] 87mvrs6a9l.fsf@prune.linuxpenguins.xyz>
References: <[🔎] 87mvrs6a9l.fsf@prune.linuxpenguins.xyz>

Hi Brian,

On Tue, 26 Jan 2016, Brian May wrote:

Just wondered why imagemagick was marked in data/dla-needed.txt?

at least someone found these issues so remarkable that an entry in our CVElist exists.

For the memory leaks and null pointer issues: Do we take the pessimestic
point of view and assume that they are security issues that need fixing,
or should we be conservative?

As long as the security team does not decide otherwise, I would bepessimistic.

                                                                 Suspect
exploiting this might be difficult.


Isn't the nature of exploits to be difficult?

Also, at what point do we decide that a CVE is needed for issues like
this?

We don't decide about CVEs, they are assigned by Mitre. We just do DLAswhenever one is needed and this depends on the severity and/or the numberof issues ...


  Thorsten

Reply to:

Follow-Ups:
- Re: imagemagick
  - From: Raphael Hertzog <hertzog@debian.org>

References:
- imagemagick
  - From: Brian May <brian@linuxpenguins.xyz>

Prev by Date: Re: no-dsa vs. end-of-life
Next by Date: Re: Summary of the LTS BoF held during DebConf
Previous by thread: Re: imagemagick
Next by thread: Re: imagemagick
Index(es):
- Date
- Thread