Hello,
On Mon, Jan 18, 2016 at 9:39 PM, Vincent Fourmond <fourm...@debian.org>
wrote:
> On Thu, Jan 14, 2016 at 10:49 PM, Vincent Fourmond <fourm...@debian.org>
> wrote:
>
>> On Thu, Jan 14, 2016 at 10:44 PM, Adam D. Barratt <
>> a...@adam-barratt.org.uk> wrote:
>>
>>> Control: tags -1 + moreinfo
>>>
>>> On Thu, 2016-01-14 at 22:33 +0100, Vincent Fourmond wrote:
>>> > The imagemagick maintainers (mostly Bastien) have prepared a new
>>> > version of imagemagick for stable that fixes a series of minor
>>> > security issues that the security team did not deem worthy of an
>>> > upload to stable-security. Can we upload the following package ? Here
>>> > is the changelog:
>>>
>>> While I've not checked each fix individually (mostly due to the lack of
>>> Debian bugs referenced), at least these changes:
>>>
>>> > - Fix an integer overflow that can lead to a buffer overrun
>>> > in the icon parsing code (LP: #1459747, closes: #806441)
>>> > - Fix an integer overflow that can lead to a double free in
>>> > pict parsing (LP: #1448803, closes: #806441).
>>>
>>> claim not to be fixed in unstable according to the BTS metadata, which
>>> is a pre-requisite for fixing them in stable. Please could you clarify
>>> the status of those and the other fixes.
>>>
>>
>> You are unfortunately correct. We have uploaded a fix to experimental,
>> but it may not make its way before a while to unstable, so probably the
>> wisest course is to backport the changes to unstable, and then, I'll get
>> back to you.
>>
>
> I have uploaded a -7 version to unstable that fixes the security
> problems mentioned above (some of those had been fixed before). I also have
> updated the changelog to make the changes more easy to track. Essentially,
> the upload I'm proposing (debdiff to stable attached) makes stable and
> unstable identical, since there were only security fixes involved (the bulk
> of the work is happening in experimental, but there are transitions
> involved, so it's not very fast...). Is that OK for an upload to jpu ?
>
Can I upload to jpu, then ? Or should the fix move to testing first ?
Cheers,
Vincent
