[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: About the security issues affecting imagemagick in Jessie

Hi Hugo,
(taking out pkg maintainers out of the loop as this is an LTS workflow issue)

On  Fr 30 Aug 2019 15:03:03 CEST, Hugo Lefeuvre wrote:

Hi Mike,

The Debian LTS team recently reviewed the security issue(s) affecting your
package in Jessie:

We decided that a member of the LTS team should take a look at this
package, although the security impact of still open issues is low. When
resources are available on our side, one of the LTS team members will
start working on fixes for those minor security issues, as we think that
the jessie users would most certainly benefit from a fixed package.

I have recently worked on these issues (in the last two weeks, in fact). :-)

Most of these issues are no-dsa, either very minor from a security point of
view or the patches are too unclear/unstable to be applied currently.

The only recently postponed issue is CVE-2019-13391/CVE-2019-13308. I did not
upload this patch because it is big, not really understandable, and
undocumented. Upstream did not answer my questions yet.

I'd just remove imagemagick from dla-needed and wait some time, until upstream
clarifies this patch. If he doesn't, I'd just mark this no-dsa.


can you rather document imagemagick (by adding a short version of the above as a note) in dla-needed.txt so that the person at front desktop knows.

If you think that imagemagick has many issues, we should ignore for jessie LTS, would it be appropriate to tag them as ignored in data/CVE/list?

Otherwise they pop up again and again in lts-cve-triage.py.


mike gabriel aka sunweaver (Debian Developer)
mobile: +49 (1520) 1976 148
landline: +49 (4351) 486 14 27

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunweaver@debian.org, http://sunweavers.net

Attachment: pgpKSl_wzqjJs.pgp
Description: Digitale PGP-Signatur

Reply to: