On Tue, Jul 18, 2017 at 10:07:35PM +0200, Adam Borowski wrote: > Actually, imagemagick is one of worst offenders here. The version in Jessie > is at deb8u9, and every security update tends to mention ~20 CVEs.
... aaaand, just hours later, here comes deb8u10: # Package : imagemagick # CVE ID : CVE-2017-9439 CVE-2017-9440 CVE-2017-9500 CVE-2017-9501 # CVE-2017-10928 CVE-2017-11141 CVE-2017-11170 # CVE-2017-11360 CVE-2017-11188 # Debian Bug : 863126 867367 867778 867721 864273 864274 867806 868264 # 868184 867810 867808 867811 867812 867896 867798 867821 # 867824 867825 867826 867893 867823 867894 867897 # # This updates fixes several vulnerabilities in imagemagick: Various # memory handling problems and cases of missing or incomplete input # sanitising may result in denial of service, memory disclosure or the # execution of arbitrary code if malformed RLE, SVG, PSD, PDB, DPX, MAT, # TGA, VST, CIN, DIB, MPC, EPT, JNG, DJVU, JPEG, ICO, PALM or MNG # files are processed. -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ A dumb species has no way to open a tuna can. ⢿⡄⠘⠷⠚⠋⠀ A smart species invents a can opener. ⠈⠳⣄⠀⠀⠀⠀ A master species delegates. _______________________________________________ Dng mailing list [email protected] https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
