Hi Roberto, > > Did you CC debian-lts? I can't find the e-mail you're referring to :) > > > I did not. In a few minutes I will bounce you the message from that > discussion (there are 5 or 6). I won't bounce them to the list, though, > as I suspect they will get flagged as spam.
Thanks for the prompt answer!
> > NOTE: 20181227: We should address the many open issues in imagemagick
> > either by patching them separetely as we did in Wheezy or by updating
> > to a new upstream version like the security team did with Graphicsmagick
> > in Stretch. (apo)
> >
> > I think the security team opted for targeted fixes in the imagemagick case,
> > at least for CVE-2019-9956 (claims remote code execution) and
> > CVE-2019-10650, which appear to be the most important ones.
> >
> > I'd also like to fix CVE-2019-11598, but that would be pretty much it. The
> > rest can be ignored, IMO.
> >
> > Backporting targeted fixes should be feasible, even if the code changed
> > quite a bit. I'm not sure upgrading to a whole upstream release is worth
> > it.
> >
> > Any comments?
> >
> That all makes sense. I did not do any work on backporting fixes, apart
> from making an attempt to build the latest upstream from sid in jessie.
> Since the backport idea did not go anywhere, you should be able to pick
> up from where the current state is in jessie.
Great, I will coordinate with Markus to provide targeted fixes then.
Thanks!
cheers,
Hugo
--
Hugo Lefeuvre (hle) | www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
