[Git][security-tracker-team/security-tracker][master] dla-needed: update imagemagick entry

Hugo Lefeuvre hle at debian.org
Mon Sep 2 14:11:33 BST 2019 


Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker


Commits:
1033631d by Hugo Lefeuvre at 2019-09-02T13:10:18Z
dla-needed: update imagemagick entry

see https://lists.debian.org/debian-lts/2019/09/msg00004.html

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=====================================
data/dla-needed.txt
=====================================
@@ -50,10 +50,15 @@ hdf5 (Hugo Lefeuvre)
 icedtea-web (Markus Koschany)
 --
 imagemagick
-  NOTE: 20190829: Several <no-dsa> and <postponed> issues some of them with simple patch
-  NOTE: 20190829: are still open for jessie. Should be revisited with policy in mind that
-  NOTE: 20190829: we also work on <no-dsa> issues whereas the security team would not.
-  NOTE: 20190829: Only claim this, if nothing more urgent is available in dla-needed.txt.
+  NOTE: 20190902: several minor postponed issues with simple patch: preparing an update
+  NOTE: just for them would be wasting time, but let's include these patches in a
+  NOTE: future update when new issues appear.
+  NOTE: CVE-2019-13391, CVE-2019-13308: patch is large, undocumented and potentially
+  NOTE: insufficient. wait for upstream to answer on bug report, or tag <ignored>.
+  NOTE: CVE-2019-10131: patch is sufficient, but technically so-so in my opinion:
+  NOTE: instead of avoiding off-by-one reads (check length BEFORE reading, not after!)
+  NOTE: we allocate one more byte. this works, but does not 'obviously' fix the issue and
+  NOTE: can be misleading... DEP3 comments would be nice. (hle)
 --
 libav (Mike Gabriel)
   NOTE: 20190831: There are currently 19 CVE issues known for libav in jessie,



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1033631d635e0c96f59ede88e5fd72b9cde7bd33

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1033631d635e0c96f59ede88e5fd72b9cde7bd33
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190902/ee5c51dc/attachment.html>

More information about the debian-security-tracker-commits mailing list