[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

dla-needed/imagemagick entry

Hi Markus and Roberto,

I just had a look at imagemagick in jessie and did some quick triage.

I saw the following notes in dla-needed:

    NOTE: 20190408: Still waiting on security team response to inquiries
    from (apo) and (roberto)

Did you CC debian-lts? I can't find the e-mail you're referring to :)

    NOTE: 20181227: We should address the many open issues in imagemagick
    either by patching them separetely as we did in Wheezy or by updating
    to a new upstream version like the security team did with Graphicsmagick
    in Stretch. (apo)

I think the security team opted for targeted fixes in the imagemagick case,
at least for CVE-2019-9956 (claims remote code execution) and
CVE-2019-10650, which appear to be the most important ones.

I'd also like to fix CVE-2019-11598, but that would be pretty much it. The
rest can be ignored, IMO.

Backporting targeted fixes should be feasible, even if the code changed
quite a bit. I'm not sure upgrading to a whole upstream release is worth

Any comments?



                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

Attachment: signature.asc
Description: PGP signature

Reply to: