[No need to CC me, I am subscribed] Am 30.01.19 um 14:29 schrieb Moritz Mühlenhoff: > On Wed, Jan 30, 2019 at 01:24:40PM +0100, Markus Koschany wrote: >> Hi, >> >> Am 30.01.19 um 13:07 schrieb Emilio Pozuelo Monfort: >> [...] >>> I would appreciate some testing and/or feedback. >> >> I have done most of the backporting work for the previous >> vulnerabilities of Ghostscript. I don't recommend to backport the stable >> version to Jessie at the moment but rather to continue to address those >> issues with targeted fixes. > > I disagree, rebasing to the latest release is the only sensible approach > (and I would have advised it already for the previous DLAs). While a number > of CVEs have been assigned over time, I strongly doubt they're exhaustive > and there were cases where CVE IDs had been assigned for bugs which had been > fixed as regular bugs and only got a CVE ID when taviso diagnosed the security > impact in hindsight. There's a reason DSA-4336-1 rebased to 9.25 after > DSA-4294-1 had already shipped a significant number of backports.
The truth is the -dSafer option gives a false sense of security even in the latest release and we will probably continue to see more of those issues. The version in Jessie is more than seven years old already, so you have to carefully weigh the usefulness of backporting the latest stable release and the risk of breaking reverse-dependencies. The targeted approach worked well so far and all known vulnerabilities were addressed. The Jessie version is not any less secure than the version in Stretch and the codebase is very different. >> There is a high risk that >> reverse-dependencies will be negatively affected and there were also >> regressions in Stretch the security team had to deal with. > > The regression fixed in DSA-4346-2 was a functional change within the newer > upstream release (i.e. it also affected sid) and it's fixed now, so that's > moot for jessie. The point was you had to deal with regressions but the original version in Stretch was much more recent than the one in Jessie. You cannot rule out this will be the only functional change for Jessie users. If Emilio wants to go this route than he should be prepared to handle those regressions too. Markus
Description: OpenPGP digital signature