On 11/15/19 12:27 PM, Pavel Sanda wrote: > On Fri, Nov 15, 2019 at 10:29:37AM -0500, John wrote: >> Lyx for Windows installer 2.3.3-1 installs ImageMagick 7.0.7-27. This >> version is subject to multiple buffer overflows (stack and heap) and >> several other vulnerabilities, allowing remote code execution if the user >> opens a LyX document incorporating a specially-crafted image. >> >> Solution: Upgrade to ImageMagick 7.0.8-56 or newer in the LyX installer >> package. > This is unfortunate consequence of windows packaging and it is true in long > term > that all bugs which are discovered in supporting packages (e.g. imagemagick/ > ghostscript) won't be quickly fixed. We unf do not have manpower to issue new > installer just after next security bug appears in those packages. > > The good news is that 2.3.4 should be released rather soon with hopefully > updated IM.
I will figure out how to update IM when we release 2.3.4. It's largely because I haven't had time to do that that I haven't done it. Riki -- lyx-devel mailing list lyx-devel@lists.lyx.org http://lists.lyx.org/mailman/listinfo/lyx-devel