[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dla-needed/imagemagick entry

Hi Roberto,

> > Did you CC debian-lts? I can't find the e-mail you're referring to :)
> > 
> I did not.  In a few minutes I will bounce you the message from that
> discussion (there are 5 or 6).  I won't bounce them to the list, though,
> as I suspect they will get flagged as spam.

Thanks for the prompt answer!

> >     NOTE: 20181227: We should address the many open issues in imagemagick
> >     either by patching them separetely as we did in Wheezy or by updating
> >     to a new upstream version like the security team did with Graphicsmagick
> >     in Stretch. (apo)
> > 
> > I think the security team opted for targeted fixes in the imagemagick case,
> > at least for CVE-2019-9956 (claims remote code execution) and
> > CVE-2019-10650, which appear to be the most important ones.
> > 
> > I'd also like to fix CVE-2019-11598, but that would be pretty much it. The
> > rest can be ignored, IMO.
> > 
> > Backporting targeted fixes should be feasible, even if the code changed
> > quite a bit. I'm not sure upgrading to a whole upstream release is worth
> > it.
> > 
> > Any comments?
> > 
> That all makes sense.  I did not do any work on backporting fixes, apart
> from making an attempt to build the latest upstream from sid in jessie.
> Since the backport idea did not go anywhere, you should be able to pick
> up from where the current state is in jessie.

Great, I will coordinate with Markus to provide targeted fixes then.



                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

Attachment: signature.asc
Description: PGP signature

Reply to: