Re: freeimage and CVE-2019-12214
Thank you for your help!
On Sat, 13 Apr 2024 at 09:56, Cyrille <cyrille@bollu.be> wrote:
>
> I don’t know anything about your procedures, but I don’t see why we wouldn’t…
>
> I would also contact NIST (or whoever is in charge of the CVE database; I can’t remember by heart who it is) to let them know this, so they update the CVE’s vulnerable configurations. I’ll try to do that next week, but I will probably first have to find out which exact versions of openjpeg2 have been affected (which will probably be quite difficult for me)
>
> Nice week-end
>
> Cyrille
>
> > Le 13 avr. 2024 à 00:22, Ola Lundqvist <ola@inguza.com> a écrit :
> >
> > Hi Cyrille
> >
> >> On Fri, 12 Apr 2024 at 16:32, Cyrille Bollu <cyrille@bollu.be> wrote:
> >>
> >> Hi Ola,
> >>
> >> Thank you for your help.
> >>
> >> So, IIUC:
> >>
> >> 1. CVE-2019-12214 shouldn't be assigned to freeimage in Debian Buster;
> >> 2. CVE-2019-12214 might be assigned to source package openjpeg2 or
> >> openjpeg (the later doesn't seem to be available in Buster though)
> >
> > Yes, potentially so. At least if I understand the email from Santiago correctly.
> >
> > freeimage build depends on libopenjp2-7-dev which is built from
> > openjpeg2 so in buster it is openjpeg2 where it should belong.
> >
> > But I do not know whether we typically re-assign things like this or
> > not so I do not want to give advice for this. Better if someone else
> > who knows the practice answers this.
> >
> > // Ola
> >
> > --
> > --- Inguza Technology AB --- MSc in Information Technology ----
> > | ola@inguza.com opal@debian.org |
> > | http://inguza.com/ Mobile: +46 (0)70-332 1551 |
> > ---------------------------------------------------------------
--
--- Inguza Technology AB --- MSc in Information Technology ----
| ola@inguza.com opal@debian.org |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
---------------------------------------------------------------
Reply to: