Bug#929597: CVE-2019-12211 CVE-2019-12212 CVE-2019-12213 CVE-2019-12214
Hi Anton, On Wed, Jan 01, 2020 at 11:07:16AM +0100, Anton Gladky wrote: > Uploaded! Thank you! (Updated the tracker information). > Happy new year! Same to you! Regards, Salvatore
Bug#929597: CVE-2019-12211 CVE-2019-12212 CVE-2019-12213 CVE-2019-12214
Uploaded! Happy new year! Anton Am Fr., 27. Dez. 2019 um 21:23 Uhr schrieb Hugo Lefeuvre : > > > thanks for your valuable work on this bug! > > Yes, I can prepare update on 30-31st of December. > > that would be great, thanks! :-) > > cheers, > Hugo > > -- > Hugo Lefeuvre (hle)|www.owl.eu.com > RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD > ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
Bug#929597: CVE-2019-12211 CVE-2019-12212 CVE-2019-12213 CVE-2019-12214
> thanks for your valuable work on this bug! > Yes, I can prepare update on 30-31st of December. that would be great, thanks! :-) cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#929597: CVE-2019-12211 CVE-2019-12212 CVE-2019-12213 CVE-2019-12214
Hi Hugo, thanks for your valuable work on this bug! Yes, I can prepare update on 30-31st of December. Regards Anton On Fri, Dec 27, 2019, 18:01 Hugo Lefeuvre wrote: > > Sounds like a sensible plan, if we are going to release updates as > > well for stretch and buster, so that there is not "regression" (I mean > > timewise, in case upstream will not land a new version) for buster -> > > bullseye updates. > > Agree! Anton, do you think you could handle this update in unstable? I'd > love to help, but my Debian time is somewhat limited currently... > > cheers, > Hugo > > -- > Hugo Lefeuvre (hle)|www.owl.eu.com > RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD > ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C >
Bug#929597: CVE-2019-12211 CVE-2019-12212 CVE-2019-12213 CVE-2019-12214
> Sounds like a sensible plan, if we are going to release updates as > well for stretch and buster, so that there is not "regression" (I mean > timewise, in case upstream will not land a new version) for buster -> > bullseye updates. Agree! Anton, do you think you could handle this update in unstable? I'd love to help, but my Debian time is somewhat limited currently... cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#929597: CVE-2019-12211 CVE-2019-12212 CVE-2019-12213 CVE-2019-12214
HI Hugo, On Fri, Dec 27, 2019 at 04:37:45PM +0100, Hugo Lefeuvre wrote: > > As there will not be a fix for all CVEs in one go, let's split the bug > > for the benefit of tracking the fixes. CVE-2019-12211 and > > CVE-2019-12213 have the same upstream change, so will clone this into > > three. > > thanks Salvatore! > > regarding CVE-2019-12213 and CVE-2019-12211 in unstable: I have asked > upstream about his plans to release 3.18.1 but did not receive any answer > yet. I suppose that we should cherry pick the patch if we want a quick > fix. Sounds like a sensible plan, if we are going to release updates as well for stretch and buster, so that there is not "regression" (I mean timewise, in case upstream will not land a new version) for buster -> bullseye updates. Regards, Salvatore
Bug#929597: CVE-2019-12211 CVE-2019-12212 CVE-2019-12213 CVE-2019-12214
Hi, > As there will not be a fix for all CVEs in one go, let's split the bug > for the benefit of tracking the fixes. CVE-2019-12211 and > CVE-2019-12213 have the same upstream change, so will clone this into > three. thanks Salvatore! regarding CVE-2019-12213 and CVE-2019-12211 in unstable: I have asked upstream about his plans to release 3.18.1 but did not receive any answer yet. I suppose that we should cherry pick the patch if we want a quick fix. cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#929597: CVE-2019-12211 CVE-2019-12212 CVE-2019-12213 CVE-2019-12214
Control: clone 929597 -1 -2 Control: retitle 929597 freeimage: CVE-2019-12211 CVE-2019-12213 Control: retitle -1 freeimage: CVE-2019-12212 Control: retitle -2 freeimage: CVE-2019-12214 Hi, As there will not be a fix for all CVEs in one go, let's split the bug for the benefit of tracking the fixes. CVE-2019-12211 and CVE-2019-12213 have the same upstream change, so will clone this into three. Regards, Salvatore
Bug#929597: CVE-2019-12211 CVE-2019-12212 CVE-2019-12213 CVE-2019-12214
Hi, small update: I have updated jessie with the cherry picked patch for CVE-2019-12213 and CVE-2019-12211. I have contacted upstream to know when he is planning to release 3.18.1 so that we can get this fixed in testing without cherry picking. I am currently testing stretch and buster updates with the cherry picked patch. cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#929597: CVE-2019-12211 CVE-2019-12212 CVE-2019-12213 CVE-2019-12214
On Tue, Jun 04, 2019 at 08:20:33PM +0200, Anton Gladky wrote: > severity 929597 important > thanks > > The fix from upstream is still not available. I am not feeling > confident enough to provide a fix for this complex peace > of code without breaking it. > > Also reducing the severity. If the security team decides to > keep it "grave" - feel free to revert it. Fine, but we still need to fix it once properly fixed upstream. Cheers, Moritz
Bug#929597: CVE-2019-12211 CVE-2019-12212 CVE-2019-12213 CVE-2019-12214
severity 929597 important thanks The fix from upstream is still not available. I am not feeling confident enough to provide a fix for this complex peace of code without breaking it. Also reducing the severity. If the security team decides to keep it "grave" - feel free to revert it. Regards Anton Am Mo., 3. Juni 2019 um 20:23 Uhr schrieb Anton Gladky : > > There is no upstream fix still available. > > I am planning to decrease the severity of > the ticket to normal and track it as a simple > security issue. > > Anton > > Am Mo., 27. Mai 2019 um 23:01 Uhr schrieb Anton Gladky : > > > > CVE-2019-12214 does not affect buster and stretch. > > Jessie should be double checked because an older > > version is used there. > > > > Anton > > > > Am So., 26. Mai 2019 um 22:01 Uhr schrieb Anton Gladky : > > > > > > Hi Moritz, > > > > > > thanks for the reporting. As far as I see, there is still > > > no available fix from upstream. > > > > > > Cheers > > > > > > Anton > > > > > > Am So., 26. Mai 2019 um 21:27 Uhr schrieb Moritz Muehlenhoff > > > : > > > > > > > > Source: freeimage > > > > Severity: grave > > > > Tags: security > > > > > > > > Please see > > > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12211 > > > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12212 > > > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12213 > > > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12214 > > > > > > > > Cheers, > > > > Moritz > > > > > > > > -- > > > > debian-science-maintainers mailing list > > > > debian-science-maintain...@alioth-lists.debian.net > > > > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-science-maintainers
Bug#929597: CVE-2019-12211 CVE-2019-12212 CVE-2019-12213 CVE-2019-12214
There is no upstream fix still available. I am planning to decrease the severity of the ticket to normal and track it as a simple security issue. Anton Am Mo., 27. Mai 2019 um 23:01 Uhr schrieb Anton Gladky : > > CVE-2019-12214 does not affect buster and stretch. > Jessie should be double checked because an older > version is used there. > > Anton > > Am So., 26. Mai 2019 um 22:01 Uhr schrieb Anton Gladky : > > > > Hi Moritz, > > > > thanks for the reporting. As far as I see, there is still > > no available fix from upstream. > > > > Cheers > > > > Anton > > > > Am So., 26. Mai 2019 um 21:27 Uhr schrieb Moritz Muehlenhoff > > : > > > > > > Source: freeimage > > > Severity: grave > > > Tags: security > > > > > > Please see > > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12211 > > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12212 > > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12213 > > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12214 > > > > > > Cheers, > > > Moritz > > > > > > -- > > > debian-science-maintainers mailing list > > > debian-science-maintain...@alioth-lists.debian.net > > > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-science-maintainers
Bug#929597: CVE-2019-12211 CVE-2019-12212 CVE-2019-12213 CVE-2019-12214
CVE-2019-12214 does not affect buster and stretch. Jessie should be double checked because an older version is used there. Anton Am So., 26. Mai 2019 um 22:01 Uhr schrieb Anton Gladky : > > Hi Moritz, > > thanks for the reporting. As far as I see, there is still > no available fix from upstream. > > Cheers > > Anton > > Am So., 26. Mai 2019 um 21:27 Uhr schrieb Moritz Muehlenhoff > : > > > > Source: freeimage > > Severity: grave > > Tags: security > > > > Please see > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12211 > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12212 > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12213 > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12214 > > > > Cheers, > > Moritz > > > > -- > > debian-science-maintainers mailing list > > debian-science-maintain...@alioth-lists.debian.net > > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-science-maintainers
Bug#929597: CVE-2019-12211 CVE-2019-12212 CVE-2019-12213 CVE-2019-12214
Hi Moritz, thanks for the reporting. As far as I see, there is still no available fix from upstream. Cheers Anton Am So., 26. Mai 2019 um 21:27 Uhr schrieb Moritz Muehlenhoff : > > Source: freeimage > Severity: grave > Tags: security > > Please see > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12211 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12212 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12213 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12214 > > Cheers, > Moritz > > -- > debian-science-maintainers mailing list > debian-science-maintain...@alioth-lists.debian.net > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-science-maintainers
Bug#929597: CVE-2019-12211 CVE-2019-12212 CVE-2019-12213 CVE-2019-12214
Source: freeimage Severity: grave Tags: security Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12211 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12212 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12213 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12214 Cheers, Moritz
