[Git][security-tracker-team/security-tracker][master] Reserve DLA-1968-1 for imagemagick

Hugo Lefeuvre hle at debian.org
Mon Oct 21 09:44:18 BST 2019 


Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker


Commits:
0b128825 by Hugo Lefeuvre at 2019-10-21T08:44:03Z
Reserve DLA-1968-1 for imagemagick

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[21 Oct 2019] DLA-1968-1 imagemagick - security update
+	{CVE-2019-11470 CVE-2019-14981 CVE-2019-15139 CVE-2019-15140}
+	[jessie] - imagemagick 8:6.8.9.9-5+deb8u18
 [21 Oct 2019] DLA-1967-1 libpcap - security update
 	{CVE-2019-15165}
 	[jessie] - libpcap 1.6.2-2+deb8u1


=====================================
data/dla-needed.txt
=====================================
@@ -32,16 +32,6 @@ hdf5
 ibus
   NOTE: 20191020: Fix for regression in KDE apps still not available (apo)
 --
-imagemagick (Hugo Lefeuvre)
-  NOTE: CVE-2019-13391, CVE-2019-13308: patch is large, undocumented and potentially
-  NOTE: insufficient. wait for upstream to answer on bug report, or tag <ignored>.
-  NOTE: CVE-2019-10131: patch is sufficient, but technically so-so in my opinion:
-  NOTE: instead of avoiding off-by-one reads (check length BEFORE reading, not after!)
-  NOTE: we allocate one more byte. this works, but does not 'obviously' fix the issue and
-  NOTE: can be misleading... DEP3 comments would be nice. (hle)
-  NOTE: 20191019: preparing an update for the new batch of CVEs.
-  NOTE: CVE-2019-17540: unclear upstream fixes in ImageMagick6, this is very messy.
---
 imapfilter
   NOTE: 20190910: No patch exists but a possible solution. Note that openssl in
   NOTE: Jessie is < 1.0.2. (apo)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0b128825ec0ad730303a944b6d0c446a8d3a9613

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0b128825ec0ad730303a944b6d0c446a8d3a9613
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20191021/3d2571e2/attachment.html>

More information about the debian-security-tracker-commits mailing list