Hi, Am 05.05.19 um 14:34 schrieb Hugo Lefeuvre: > Hi Markus and Roberto, > > I just had a look at imagemagick in jessie and did some quick triage. > > I saw the following notes in dla-needed: > > NOTE: 20190408: Still waiting on security team response to inquiries > from (apo) and (roberto) > > Did you CC debian-lts? I can't find the e-mail you're referring to :) > > NOTE: 20181227: We should address the many open issues in imagemagick > either by patching them separetely as we did in Wheezy or by updating > to a new upstream version like the security team did with Graphicsmagick > in Stretch. (apo) We contacted the security team directly without CCing the lts mailing list. However they didn't reply to us. > I think the security team opted for targeted fixes in the imagemagick case, > at least for CVE-2019-9956 (claims remote code execution) and > CVE-2019-10650, which appear to be the most important ones. > > I'd also like to fix CVE-2019-11598, but that would be pretty much it. The > rest can be ignored, IMO. > > Backporting targeted fixes should be feasible, even if the code changed > quite a bit. I'm not sure upgrading to a whole upstream release is worth > it. > > Any comments? I was about to claim imagemagick in the next days and wanted to do some targeted fixes. My idea was to forward port the fixes we did in Wheezy and to fix everything else that seems in need of fixing. I haven't determined the severity of all no-dsa CVE yet. We could combine our work like I did with Mike and libav. Regards, Markus
Attachment:
signature.asc
Description: OpenPGP digital signature