[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: imagemagick

Hi Brian,

On Mon, Apr 11, 2016 at 09:12:58AM +1000, Brian May wrote:
> Brian May <bam@debian.org> writes:
> > However the upload of imagemagick for Jessie didn't go so well; I didn't
> > realize that packages.debian.org has the correct binary but old source
> > (doesn't take into account point updates properly), so I will have to
> > redo it with the latest source.
> Oh, I think I understand what happened now.
> There was an updated version of imagemagick made for Jessie with all the
> fixes in January. However it didn't get uploaded as a security
> update. Instead it got uploaded in proposed-updates. As a result there
> was nothing mentioned in the security tracker.
> https://tracker.debian.org/news/745776
> Just recently it was moved into Jessie as a point update in the last
> point release.
> There is no need for me to do a security update, as the updates I was
> going to do are already there.
> How can we avoid duplicating efforts like this? Rereading this thread it
> looks like I wasn't the only one confused.

I just checked the security mail exchange with imagemagick
maintainers. Indeed we already had asked maintainers back in 13th of
january 2016 to fix those issues via jessie-pu for these minor
security problems. Not sure why we haven't done so for wheezy as well.
We probably should have and then mark wheezy as well as no-dsa in the

Btw, regarding the tracking of fixes which are no-dsa and scheduled
via a point release:
|When a vulnerability is fixed in (oldstable-)proposed-updates, it is
|added to next-(oldstable-)point-update.txt and only added to CVE/list
|after the point release (during which the no-dsa entry is removed).

As well you can double-check against
https://release.debian.org/proposed-updates/stable.html and

This is on purpose, since SRM might decide in last minute to not
include a package. A security team member checks that list on the
point release date and them merges the ones neede back to the
data/CVE/list. As seen on the current list not all such updates were
actually accepted (e.g. cyrus-imapd-2.4). On the last jessie- and
wheezy-point release I was the one doing so.

> Also: as this updated security issues, why was it uploaded to
> proposed-updates and not jessie-security?

Not every security issue needs a DSA, in which case either the
maintainer does it proactively him/herself or actually we ask to fix
those issues via an upcoming point release.

Hope this answers helps,


Attachment: signature.asc
Description: PGP signature

Reply to: