[Git][security-tracker-team/security-tracker][master] 2 commits: dla-needed: update {graphics,image}magick entries
Hugo Lefeuvre
hle at debian.org
Sun May 12 13:35:29 BST 2019
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker
Commits:
6fd79c97 by Hugo Lefeuvre at 2019-05-12T12:28:48Z
dla-needed: update {graphics,image}magick entries
imagemagick: update notes to reflect discussion on debian-lts mailing
list.
- - - - -
1e666606 by Hugo Lefeuvre at 2019-05-12T12:34:48Z
CVE-2019-11506/graphicsmagick: no-dsa in jessie
FPE (limited impact), patch is large with high potential of introducing
regressions (initial patch contained a new heap buffer overflow).
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -875,6 +875,7 @@ CVE-2019-11507 (In Pulse Secure Pulse Connect Secure (PCS) 8.3.x before 8.3R7.1
NOT-FOR-US: Pulse Secure Pulse Connect Secure
CVE-2019-11506 (In GraphicsMagick from version 1.3.30 to 1.4 snapshot-20190403 Q8, the ...)
- graphicsmagick 1.4~hg15968-1
+ [jessie] - graphicsmagick <no-dsa> (Minor issue)
NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/57ac0ae85e2a
NOTE: https://sourceforge.net/p/graphicsmagick/bugs/604/
CVE-2019-11505 (In GraphicsMagick from version 1.3.8 to 1.4 snapshot-20190403 Q8, ther ...)
=====================================
data/dla-needed.txt
=====================================
@@ -31,6 +31,7 @@ faad2 (Hugo Lefeuvre)
ghostscript (Roberto C. Sánchez)
--
graphicsmagick (Hugo Lefeuvre)
+ NOTE: 20190512: preparing an update for recent buffer overflows.
--
hdf5 (Hugo Lefeuvre)
NOTE: CVE-2018-17432: upstream claims to have fixed this in 1.10.5 (issue HDF-10590)
@@ -40,12 +41,9 @@ hdf5 (Hugo Lefeuvre)
NOTE: a Jira issue for this: https://jira.hdfgroup.org/browse/HDFFV-10755 (hle)
--
imagemagick (Hugo Lefeuvre, Markus Koschany)
- NOTE: 20181227: We should address the many open issues in imagemagick either
- NOTE: by patching them separetely as we did in Wheezy or by updating to a
- NOTE: new upstream version like the security team did with Graphicsmagick in
- NOTE: Stretch. (apo)
- NOTE: 20190408: Still waiting on security team response to inquiries from (apo) and (roberto)
- NOTE: CVE-2019-11598: patch is broken. Wait for followup patches.
+ NOTE: many open issues, but most of them are minor. This is not enough to justify
+ NOTE: full backport of a more recent version -> handle vulnerabilities on a case by
+ NOTE: case basis (hle)
--
jruby
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/1d48d724ff1a6b7c9276fb5ff4a0590701e29f72...1e666606ff533ca89aa93f27d279a7e55940fc50
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/1d48d724ff1a6b7c9276fb5ff4a0590701e29f72...1e666606ff533ca89aa93f27d279a7e55940fc50
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190512/ff5ff746/attachment.html>
More information about the debian-security-tracker-commits
mailing list