[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#907493: [SECURITY] [DSA 4288-1] ghostscript security update



On Sat, Sep 08, 2018 at 07:10:59AM +0200, Paul Gevers wrote:
> Dear security team,
> 
> On 09/07/18 23:23, Moritz Muehlenhoff wrote:
> > Package        : ghostscript
> > CVE ID         : CVE-2018-15908 CVE-2018-15910 CVE-2018-15911
> >                  CVE-2018-16511 CVE-2018-16513 CVE-2018-16539
> > 		 CVE-2018-16540 CVE-2018-16541 CVE-2018-16542
> > 		 CVE-2018-16543 CVE-2018-16585
> 
> The latest upload of ghostscript to unstable, which as far as I know
> only tried to fix some of these CVE's, caused the autopkgtest of
> multiple packages to start timing out (bug 907493). Were you aware of
> that and have you done any testing to verify that this isn't an issue
> for the stable upload?
> 
> If so, that would be an interesting data point for the bug. If not, you
> may be facing the same regression in stretch. I have the wild hunch that
> this is related to the openssl upstream bump in unstable, but nobody has
> verified that yet. If stretch is no not seeing this regression that
> would mean there may also be a path to fix testing/buster until we
> figure out what needs fixing in ghostscript.

This probably needs upstream commit 150c8f69646b854a99f35f27edaae012eb2e900f,
which I've applied for the stable-security update, but is not yet in sid.

Cheers,
        Moritz


Reply to: