[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: About the security issues affecting imagemagick in Jessie

Hi Mike,

> I find that the below package / CVE states make front-desk life easy and
> clear:
>   - package has been claimed
>   - a CVE is tagged with <ignored>
>   - a CVE is tagged with <not-affected>
>   - a CVE is vulnerable
>   - a CVE is fixed

Should we completely stop using <no-dsa> then?

This makes sense for the security team, but is it useful in the LTS case?

I'm not sure myself. I usually use no-dsa when a CVE is minor but I didn't
take a final decision (ignore it/postpone it) yet (not enough time, no
"need" to take a final decision, can be revisited).

> The <postponed> tag is a bit of a dodgy statement here (it should be worked
> upon, but later when some other more severe issue pops up for the same
> package, or when some feedback is received, or when <what-ever>).
> So, a <postponed> tag can in fact mean anything. When being at front-desk
> you have to dig into the details (security-tracker comments, older mailing
> list threads, etc.) to understand the nature of individual <postponed> tags.
> This is awkward IMHO.

I don't think so. <postponed> entries don't have to be revisited unless new
issues pop up for which we want to release a DLA.

Most of the time when I tag <postponed> I mean "this is really minor,
preparing an update just for that would be wasting our time.  regression
risks are very low though, so let's ship it in an future update".

> Regarding imagemagick, CVE-2019-13308 and CVE-2019-13391 are postponed,
> because upstream feedback is required. CVE-2019-14981 is postponed until
> something more severe needs fixing.
> IMHO, CVE-2019-13308 and CVE-2019-13391 are a good reason for keeping
> imagemagick in dla-needed.txt and also keeping it claimed by the person who
> sent out the requests for feedback to upstream.

Regarding CVE-2019-13308 and CVE-2019-13391, I meant "revisit these when
preparing the next update, as of now I don't want to apply this
undocumented, large, potentially incomplete patch".

Also, the issue is uncritical, no hurry. We can just take a look at this
when new issues pop up for imagemagick.

This is borderline, so let's stop wasting time: we can keep a dla-needed
entry with appropriate comments for both front desk and regular lts


                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

Attachment: signature.asc
Description: PGP signature

Reply to: