Hi With my LTS front desk hat on I think this is worth investigating. However as you write. We have to get the regular security team on board first.
// Ola On 26 January 2017 at 15:14, Raphael Hertzog <[email protected]> wrote: > Hello, > > I started to work on fixing jbig2dec/wheezy for > https://security-tracker.debian.org/tracker/CVE-2016-9601 but > the patch that allegedly fixes the current issue is rather invasive > and while looking at the git history you will quickly see > that allmost all the changes since the version that we have in wheezy and > jessie are potential security issues that were never assigned any CVE: > http://git.ghostscript.com/?p=jbig2dec.git;a=shortlog > > - Many CERT reported issues > - Many fuzzing related bugs > - Many valgrind errors > - Many heap overflow/underflow > > Thus I wonder if the proper approach is not to update the version > that we have in wheezy/jessie to be in sync with what's in stretch/sid. > > The number of reverse dependencies is rather low and we should be able > to ensure that they are still working as expected. > > I can only do that in wheezy if we also do it in jessie, so I seek the > input of the security team as well. I can prepare the update for both > suites. > > Let me know your thoughts. > -- > Raphaël Hertzog ◈ Debian Developer > > Support Debian LTS: https://www.freexian.com/services/debian-lts.html > Learn to master Debian: https://debian-handbook.info/get/ > -- --- Inguza Technology AB --- MSc in Information Technology ---- / [email protected] Folkebogatan 26 \ | [email protected] 654 68 KARLSTAD | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---------------------------------------------------------------
