Hi Roberto, > > Did you CC debian-lts? I can't find the e-mail you're referring to :) > > > I did not. In a few minutes I will bounce you the message from that > discussion (there are 5 or 6). I won't bounce them to the list, though, > as I suspect they will get flagged as spam.
Thanks for the prompt answer! > > NOTE: 20181227: We should address the many open issues in imagemagick > > either by patching them separetely as we did in Wheezy or by updating > > to a new upstream version like the security team did with Graphicsmagick > > in Stretch. (apo) > > > > I think the security team opted for targeted fixes in the imagemagick case, > > at least for CVE-2019-9956 (claims remote code execution) and > > CVE-2019-10650, which appear to be the most important ones. > > > > I'd also like to fix CVE-2019-11598, but that would be pretty much it. The > > rest can be ignored, IMO. > > > > Backporting targeted fixes should be feasible, even if the code changed > > quite a bit. I'm not sure upgrading to a whole upstream release is worth > > it. > > > > Any comments? > > > That all makes sense. I did not do any work on backporting fixes, apart > from making an attempt to build the latest upstream from sid in jessie. > Since the backport idea did not go anywhere, you should be able to pick > up from where the current state is in jessie. Great, I will coordinate with Markus to provide targeted fixes then. Thanks! cheers, Hugo -- Hugo Lefeuvre (hle) | www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
Description: PGP signature