On Wed, Jul 19, 2017 at 08:28:25PM +0900, Olaf Meeuwissen wrote: > Adam Borowski writes: > > On Tue, Jul 18, 2017 at 10:07:35PM +0200, Adam Borowski wrote: > >> Actually, imagemagick is one of worst offenders here. The version in > >> Jessie > >> is at deb8u9, and every security update tends to mention ~20 CVEs. > > > > ... aaaand, just hours later, here comes deb8u10: > > > > # Package : imagemagick > > # CVE ID : CVE-2017-9439 CVE-2017-9440 CVE-2017-9500 CVE-2017-9501 > > # CVE-2017-10928 CVE-2017-11141 CVE-2017-11170 > > # CVE-2017-11360 CVE-2017-11188 > > # Debian Bug : 863126 867367 867778 867721 864273 864274 867806 868264 > > # 868184 867810 867808 867811 867812 867896 867798 867821 > > # 867824 867825 867826 867893 867823 867894 867897 > > Totally untested, but you might try to replace imagemagick with > graphicsmagick. It's at deb8u ;-)
It's a fork, so it suffers from same vulnerabilities as imagemagick. It might get better only after someone rewrites everything from scratch (in which case there'll be a whole new set of bugs). -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ A dumb species has no way to open a tuna can. ⢿⡄⠘⠷⠚⠋⠀ A smart species invents a can opener. ⠈⠳⣄⠀⠀⠀⠀ A master species delegates. _______________________________________________ Dng mailing list [email protected] https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
