Hello, On Mon, Jan 18, 2016 at 9:39 PM, Vincent Fourmond <fourm...@debian.org> wrote:
> On Thu, Jan 14, 2016 at 10:49 PM, Vincent Fourmond <fourm...@debian.org> > wrote: > >> On Thu, Jan 14, 2016 at 10:44 PM, Adam D. Barratt < >> a...@adam-barratt.org.uk> wrote: >> >>> Control: tags -1 + moreinfo >>> >>> On Thu, 2016-01-14 at 22:33 +0100, Vincent Fourmond wrote: >>> > The imagemagick maintainers (mostly Bastien) have prepared a new >>> > version of imagemagick for stable that fixes a series of minor >>> > security issues that the security team did not deem worthy of an >>> > upload to stable-security. Can we upload the following package ? Here >>> > is the changelog: >>> >>> While I've not checked each fix individually (mostly due to the lack of >>> Debian bugs referenced), at least these changes: >>> >>> > - Fix an integer overflow that can lead to a buffer overrun >>> > in the icon parsing code (LP: #1459747, closes: #806441) >>> > - Fix an integer overflow that can lead to a double free in >>> > pict parsing (LP: #1448803, closes: #806441). >>> >>> claim not to be fixed in unstable according to the BTS metadata, which >>> is a pre-requisite for fixing them in stable. Please could you clarify >>> the status of those and the other fixes. >>> >> >> You are unfortunately correct. We have uploaded a fix to experimental, >> but it may not make its way before a while to unstable, so probably the >> wisest course is to backport the changes to unstable, and then, I'll get >> back to you. >> > > I have uploaded a -7 version to unstable that fixes the security > problems mentioned above (some of those had been fixed before). I also have > updated the changelog to make the changes more easy to track. Essentially, > the upload I'm proposing (debdiff to stable attached) makes stable and > unstable identical, since there were only security fixes involved (the bulk > of the work is happening in experimental, but there are transitions > involved, so it's not very fast...). Is that OK for an upload to jpu ? > Can I upload to jpu, then ? Or should the fix move to testing first ? Cheers, Vincent