Hi Mike, > > I have recently worked on these issues (in the last two weeks, in fact). :-) > > > > Most of these issues are no-dsa, either very minor from a security point of > > view or the patches are too unclear/unstable to be applied currently. > > > > The only recently postponed issue is CVE-2019-13391/CVE-2019-13308. I did not > > upload this patch because it is big, not really understandable, and > > undocumented. Upstream did not answer my questions yet. > > > > I'd just remove imagemagick from dla-needed and wait some time, until > > upstream > > clarifies this patch. If he doesn't, I'd just mark this no-dsa. > > can you rather document imagemagick (by adding a short version of the above > as a note) in dla-needed.txt so that the person at front desktop knows. Yes I can do that, but it sounds like a misusage of dla-needed to me. Does it make sense to have a dla-needed entry for imagemagick if we don't intend to release any DLA for these issues (yet)? > If you think that imagemagick has many issues, we should ignore for jessie > LTS, would it be appropriate to tag them as ignored in data/CVE/list? > > Otherwise they pop up again and again in lts-cve-triage.py. I have done some more triage. However please note that these issues pop up in lts-cve-triage because they are still open in stretch. The security team is currently working on imagemagick, so this should be fixed in the next weeks. cheers, Hugo -- Hugo Lefeuvre (hle) | www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
Attachment:
signature.asc
Description: PGP signature