Hi, Am 30.01.19 um 13:07 schrieb Emilio Pozuelo Monfort: [...] > I would appreciate some testing and/or feedback. I have done most of the backporting work for the previous vulnerabilities of Ghostscript. I don't recommend to backport the stable version to Jessie at the moment but rather to continue to address those issues with targeted fixes. There is a high risk that reverse-dependencies will be negatively affected and there were also regressions in Stretch the security team had to deal with. In case of ghostscript a complete backport from stable should be the last resort. The whole sandbox concept of ghostscript appears very fragile and even upstream seems to struggle to close all the loopholes. We should rather disable ghostscript handled formats in graphicsmagick and imagemagick by default as I have previously suggested and let users handle it manually. [1] We could also invest the time to fix this in unstable first and learn from the result. [2] Regards, Markus [1] https://lists.debian.org/debian-lts/2018/10/msg00019.html [2] https://bugs.debian.org/907336
Attachment:
signature.asc
Description: OpenPGP digital signature