Hi Hugo, (taking out pkg maintainers out of the loop as this is an LTS workflow issue) On Fr 30 Aug 2019 15:03:03 CEST, Hugo Lefeuvre wrote:
Hi Mike,The Debian LTS team recently reviewed the security issue(s) affecting your package in Jessie: https://security-tracker.debian.org/tracker/source-package/imagemagick We decided that a member of the LTS team should take a look at this package, although the security impact of still open issues is low. When resources are available on our side, one of the LTS team members will start working on fixes for those minor security issues, as we think that the jessie users would most certainly benefit from a fixed package.I have recently worked on these issues (in the last two weeks, in fact). :-) Most of these issues are no-dsa, either very minor from a security point of view or the patches are too unclear/unstable to be applied currently. The only recently postponed issue is CVE-2019-13391/CVE-2019-13308. I did not upload this patch because it is big, not really understandable, and undocumented. Upstream did not answer my questions yet.I'd just remove imagemagick from dla-needed and wait some time, until upstreamclarifies this patch. If he doesn't, I'd just mark this no-dsa. regards, Hugo
can you rather document imagemagick (by adding a short version of the above as a note) in dla-needed.txt so that the person at front desktop knows.
If you think that imagemagick has many issues, we should ignore for jessie LTS, would it be appropriate to tag them as ignored in data/CVE/list?
Otherwise they pop up again and again in lts-cve-triage.py. Thanks, Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: firstname.lastname@example.org, http://sunweavers.net
Description: Digitale PGP-Signatur