[Git][security-tracker-team/security-tracker][master] 2 commits: dla-needed: update {graphics,image}magick entries

Sun May 12 13:35:29 BST 2019


Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker


Commits:
6fd79c97 by Hugo Lefeuvre at 2019-05-12T12:28:48Z
dla-needed: update {graphics,image}magick entries

imagemagick: update notes to reflect discussion on debian-lts mailing
list.

- - - - -
1e666606 by Hugo Lefeuvre at 2019-05-12T12:34:48Z
CVE-2019-11506/graphicsmagick: no-dsa in jessie

FPE (limited impact), patch is large with high potential of introducing
regressions (initial patch contained a new heap buffer overflow).

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -875,6 +875,7 @@ CVE-2019-11507 (In Pulse Secure Pulse Connect Secure (PCS) 8.3.x before 8.3R7.1
 	NOT-FOR-US: Pulse Secure Pulse Connect Secure
 CVE-2019-11506 (In GraphicsMagick from version 1.3.30 to 1.4 snapshot-20190403 Q8, the ...)
 	- graphicsmagick 1.4~hg15968-1
+	[jessie] - graphicsmagick <no-dsa> (Minor issue)
 	NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/57ac0ae85e2a
 	NOTE: https://sourceforge.net/p/graphicsmagick/bugs/604/
 CVE-2019-11505 (In GraphicsMagick from version 1.3.8 to 1.4 snapshot-20190403 Q8, ther ...)


=====================================
data/dla-needed.txt
=====================================
@@ -31,6 +31,7 @@ faad2 (Hugo Lefeuvre)
 ghostscript (Roberto C. Sánchez)
 --
 graphicsmagick (Hugo Lefeuvre)
+  NOTE: 20190512: preparing an update for recent buffer overflows.
 --
 hdf5 (Hugo Lefeuvre)
   NOTE: CVE-2018-17432: upstream claims to have fixed this in 1.10.5 (issue HDF-10590)
@@ -40,12 +41,9 @@ hdf5 (Hugo Lefeuvre)
   NOTE: a Jira issue for this: https://jira.hdfgroup.org/browse/HDFFV-10755 (hle)
 --
 imagemagick (Hugo Lefeuvre, Markus Koschany)
-  NOTE: 20181227: We should address the many open issues in imagemagick either
-  NOTE: by patching them separetely as we did in Wheezy or by updating to a
-  NOTE: new upstream version like the security team did with Graphicsmagick in
-  NOTE: Stretch. (apo)
-  NOTE: 20190408: Still waiting on security team response to inquiries from (apo) and (roberto)
-  NOTE: CVE-2019-11598: patch is broken. Wait for followup patches.
+  NOTE: many open issues, but most of them are minor. This is not enough to justify
+  NOTE: full backport of a more recent version -> handle vulnerabilities on a case by
+  NOTE: case basis (hle)
 --
 jruby
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/1d48d724ff1a6b7c9276fb5ff4a0590701e29f72...1e666606ff533ca89aa93f27d279a7e55940fc50

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/1d48d724ff1a6b7c9276fb5ff4a0590701e29f72...1e666606ff533ca89aa93f27d279a7e55940fc50
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190512/ff5ff746/attachment.html>
