Re: imagemagick

To: Brian May <bam@debian.org>
Cc: Luciano Bello <luciano@debian.org>, debian-lts@lists.debian.org, team@security.debian.org
Subject: Re: imagemagick
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 11 Apr 2016 21:17:40 +0200
Message-id: <[🔎] 20160411191740.GA25664@eldamar.local>
Mail-followup-to: Brian May <bam@debian.org>, Luciano Bello <luciano@debian.org>, debian-lts@lists.debian.org, team@security.debian.org
In-reply-to: <[🔎] 87zit19hxh.fsf@prune.linuxpenguins.xyz>
References: <87egbodva5.fsf@prune.linuxpenguins.xyz> <[🔎] 20160406112105.GA26129@lorien.valinor.li> <[🔎] 87twjei1r7.fsf@prune.linuxpenguins.xyz> <[🔎] 1898415.nsiq8CN8hX@box> <[🔎] 8737qtaxp6.fsf@prune.linuxpenguins.xyz> <[🔎] 87zit19hxh.fsf@prune.linuxpenguins.xyz>

Hi Brian,

On Mon, Apr 11, 2016 at 09:12:58AM +1000, Brian May wrote:
> Brian May <bam@debian.org> writes:
> 
> > However the upload of imagemagick for Jessie didn't go so well; I didn't
> > realize that packages.debian.org has the correct binary but old source
> > (doesn't take into account point updates properly), so I will have to
> > redo it with the latest source.
> 
> Oh, I think I understand what happened now.
> 
> There was an updated version of imagemagick made for Jessie with all the
> fixes in January. However it didn't get uploaded as a security
> update. Instead it got uploaded in proposed-updates. As a result there
> was nothing mentioned in the security tracker.
> 
> https://tracker.debian.org/news/745776
> 
> Just recently it was moved into Jessie as a point update in the last
> point release.
> 
> There is no need for me to do a security update, as the updates I was
> going to do are already there.
> 
> How can we avoid duplicating efforts like this? Rereading this thread it
> looks like I wasn't the only one confused.

I just checked the security mail exchange with imagemagick
maintainers. Indeed we already had asked maintainers back in 13th of
january 2016 to fix those issues via jessie-pu for these minor
security problems. Not sure why we haven't done so for wheezy as well.
We probably should have and then mark wheezy as well as no-dsa in the
tracker.

Btw, regarding the tracking of fixes which are no-dsa and scheduled
via a point release:
http://security-team.debian.org/security_tracker.html#distribution-tags
|When a vulnerability is fixed in (oldstable-)proposed-updates, it is
|added to next-(oldstable-)point-update.txt and only added to CVE/list
|after the point release (during which the no-dsa entry is removed).

As well you can double-check against
https://release.debian.org/proposed-updates/stable.html and
https://release.debian.org/proposed-updates/oldstable.html.

This is on purpose, since SRM might decide in last minute to not
include a package. A security team member checks that list on the
point release date and them merges the ones neede back to the
data/CVE/list. As seen on the current list not all such updates were
actually accepted (e.g. cyrus-imapd-2.4). On the last jessie- and
wheezy-point release I was the one doing so.

> Also: as this updated security issues, why was it uploaded to
> proposed-updates and not jessie-security?

Not every security issue needs a DSA, in which case either the
maintainer does it proactively him/herself or actually we ask to fix
those issues via an upcoming point release.

Hope this answers helps,

Regards,
Salvatore

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- Re: imagemagick
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Re: imagemagick
  - From: Brian May <bam@debian.org>
- Re: imagemagick
  - From: Luciano Bello <luciano@debian.org>
- Re: imagemagick
  - From: Brian May <bam@debian.org>
- Re: imagemagick
  - From: Brian May <bam@debian.org>

Prev by Date: Re: Xen updates for wheezy ready for testing
Next by Date: Re: Who is attending DebConf?
Previous by thread: Re: imagemagick
Next by thread: Re: imagemagick
Index(es):
- Date
- Thread