Hi Markus and Roberto,
I just had a look at imagemagick in jessie and did some quick triage.
I saw the following notes in dla-needed:
NOTE: 20190408: Still waiting on security team response to inquiries
from (apo) and (roberto)
Did you CC debian-lts? I can't find the e-mail you're referring to :)
NOTE: 20181227: We should address the many open issues in imagemagick
either by patching them separetely as we did in Wheezy or by updating
to a new upstream version like the security team did with Graphicsmagick
in Stretch. (apo)
I think the security team opted for targeted fixes in the imagemagick case,
at least for CVE-2019-9956 (claims remote code execution) and
CVE-2019-10650, which appear to be the most important ones.
I'd also like to fix CVE-2019-11598, but that would be pretty much it. The
rest can be ignored, IMO.
Backporting targeted fixes should be feasible, even if the code changed
quite a bit. I'm not sure upgrading to a whole upstream release is worth
it.
Any comments?
Thanks!
cheers,
Hugo
--
Hugo Lefeuvre (hle) | www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
Attachment:
signature.asc
Description: PGP signature