Hi Mike,
> > I have recently worked on these issues (in the last two weeks, in fact). :-)
> >
> > Most of these issues are no-dsa, either very minor from a security point of
> > view or the patches are too unclear/unstable to be applied currently.
> >
> > The only recently postponed issue is CVE-2019-13391/CVE-2019-13308. I did not
> > upload this patch because it is big, not really understandable, and
> > undocumented. Upstream did not answer my questions yet.
> >
> > I'd just remove imagemagick from dla-needed and wait some time, until
> > upstream
> > clarifies this patch. If he doesn't, I'd just mark this no-dsa.
>
> can you rather document imagemagick (by adding a short version of the above
> as a note) in dla-needed.txt so that the person at front desktop knows.
Yes I can do that, but it sounds like a misusage of dla-needed to me. Does it
make sense to have a dla-needed entry for imagemagick if we don't intend to
release any DLA for these issues (yet)?
> If you think that imagemagick has many issues, we should ignore for jessie
> LTS, would it be appropriate to tag them as ignored in data/CVE/list?
>
> Otherwise they pop up again and again in lts-cve-triage.py.
I have done some more triage. However please note that these issues pop up in
lts-cve-triage because they are still open in stretch. The security team is
currently working on imagemagick, so this should be fixed in the next weeks.
cheers,
Hugo
--
Hugo Lefeuvre (hle) | www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
Attachment:
signature.asc
Description: PGP signature