Hi Markus, > We contacted the security team directly without CCing the lts mailing > list. However they didn't reply to us.
OK, Roberto forwarded the discussion to me. > > I think the security team opted for targeted fixes in the imagemagick case, > > at least for CVE-2019-9956 (claims remote code execution) and > > CVE-2019-10650, which appear to be the most important ones. > > > > I'd also like to fix CVE-2019-11598, but that would be pretty much it. The > > rest can be ignored, IMO. > > > > Backporting targeted fixes should be feasible, even if the code changed > > quite a bit. I'm not sure upgrading to a whole upstream release is worth > > it. > > > > Any comments? > > I was about to claim imagemagick in the next days and wanted to do some > targeted fixes. My idea was to forward port the fixes we did in Wheezy > and to fix everything else that seems in need of fixing. I haven't > determined the severity of all no-dsa CVE yet. We could combine our work > like I did with Mike and libav. Good idea. I plan to work on CVE-2019-9956, CVE-2019-10650 and possibly CVE-2019-11598. Do you think an upload ~ next week-end would be feasible for you? cheers, Hugo -- Hugo Lefeuvre (hle) | www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
Description: PGP signature