On Feb/11, Brian May wrote:
> I have been advised each of these issues should have its own CVE.
> I have also been advised that the memory leaks aren't worth bothering
> with, so that leaves 0070, 0071, and 0072 that we would need to deal
> Out of this, only the 0071 patch applies cleanly to the version in
> I also note that a number of security issues concerning imagemagick
> have been marked no-DSA for wheezy and jessie.
> What would you advise for these issues?
Having a CVE associated to each security issue is definitely a plus, at
the very least for those issues serious enough to be fixed via a
> Also I note that a number of security issues fixed in squeeze-lts
> don't have assigned CVEs - is this something that needs rectifying?
It's always a plus, yes.
So, to summarize:
- imagemagick in squeeze appears to only be vulnerable
- issues fixed via a DLA, but lacking a CVE, are:
I personally would only request CVEs for those 4 issues, even though in
the end it's your choice to also ask for those tagged no-dsa.