Hi Markus,
> We contacted the security team directly without CCing the lts mailing
> list. However they didn't reply to us.
OK, Roberto forwarded the discussion to me.
> > I think the security team opted for targeted fixes in the imagemagick case,
> > at least for CVE-2019-9956 (claims remote code execution) and
> > CVE-2019-10650, which appear to be the most important ones.
> >
> > I'd also like to fix CVE-2019-11598, but that would be pretty much it. The
> > rest can be ignored, IMO.
> >
> > Backporting targeted fixes should be feasible, even if the code changed
> > quite a bit. I'm not sure upgrading to a whole upstream release is worth
> > it.
> >
> > Any comments?
>
> I was about to claim imagemagick in the next days and wanted to do some
> targeted fixes. My idea was to forward port the fixes we did in Wheezy
> and to fix everything else that seems in need of fixing. I haven't
> determined the severity of all no-dsa CVE yet. We could combine our work
> like I did with Mike and libav.
Good idea. I plan to work on CVE-2019-9956, CVE-2019-10650 and possibly
CVE-2019-11598. Do you think an upload ~ next week-end would be feasible
for you?
cheers,
Hugo
--
Hugo Lefeuvre (hle) | www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
Attachment:
signature.asc
Description: PGP signature