[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: About the security issues affecting imagemagick in Jessie

Hi Mike,

> > I have recently worked on these issues (in the last two weeks, in fact). :-)
> > 
> > Most of these issues are no-dsa, either very minor from a security point of
> > view or the patches are too unclear/unstable to be applied currently.
> > 
> > The only recently postponed issue is CVE-2019-13391/CVE-2019-13308. I did not
> > upload this patch because it is big, not really understandable, and
> > undocumented. Upstream did not answer my questions yet.
> > 
> > I'd just remove imagemagick from dla-needed and wait some time, until
> > upstream
> > clarifies this patch. If he doesn't, I'd just mark this no-dsa.
> can you rather document imagemagick (by adding a short version of the above
> as a note) in dla-needed.txt so that the person at front desktop knows.

Yes I can do that, but it sounds like a misusage of dla-needed to me.  Does it
make sense to have a dla-needed entry for imagemagick if we don't intend to
release any DLA for these issues (yet)?
> If you think that imagemagick has many issues, we should ignore for jessie
> LTS, would it be appropriate to tag them as ignored in data/CVE/list?
> Otherwise they pop up again and again in lts-cve-triage.py.

I have done some more triage. However please note that these issues pop up in
lts-cve-triage because they are still open in stretch. The security team is
currently working on imagemagick, so this should be fixed in the next weeks.


                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

Attachment: signature.asc
Description: PGP signature

Reply to: