Hi,

in the meantime its graphicsmagick 1.3.25-2 on Debian Stretch, but Jessie - which is the current stable release - still has 12 security issues going back to 2015:


CVE-2016-5241
CVE-2016-5240
CVE-2016-5239
CVE-2016-5118
CVE-2016-3718
CVE-2016-3717
CVE-2016-3716
CVE-2016-3715
CVE-2016-3714
CVE-2016-2318
CVE-2016-2317
CVE-2015-8808

Do you think 1.3.25-2 might be the used for a stable update?

Stephan

On Tue, 5 Jul 2016 08:53:29 -0500 (CDT) Bob Friesenhahn <bfrie...@simple.dallas.tx.us> wrote:
On Tue, 5 Jul 2016, László Böszörményi wrote:
>
> I don't think 1.3.24 would be an easy target for Jessie. Maybe apply
> the first set of patches, release it as a DSA, then add the others, a
> new DSA... But it's also not the best idea.
> I include the Security Team to this discussion, what they say about this.

There are still more security related fixes in the MVG/SVG rendering
code (e.g. changeset 14860:6071b5820215).  Also some of the error
checking which was added is apparently too strict and causing failures
with SVG files which were previously accepted.  It is my intention to
release a 1.3.25 which primarily fixes parsing issues introduced with
1.3.24 as well as fixes heap/stack overflow/overrun issues in the
rendering code.

Bob
--
Bob Friesenhahn
bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/
--
side by site GmbH & Co. KG
Geo & Web

Barbarastraße 3-9 (Block 6)
50735 Köln

fon: +49 221 27909-68
fax: +49 221 27909-65
email: s.grossber...@sidebysite.de
http://www.sidebysite.de

GK2:
2568335.13239 rw / 5648797.09828 hw

WGS84:
50.9703360368 br / 6.97225749493 la

HR A 15202
Amtsgericht Köln

persönlich haftende Gesellschafterin:
side by site Verwaltungs GmbH
Amtsgericht Köln HR B 33600
Geschäftsführer: Michael Schlieper

Reply via email to