On Sat, Aug 08, 2015 at 09:25:01pm +0200, Bastien ROUCARIES wrote:
> Dear security team
>
> I am looking for a sponsor for my package "imagemagick" about a
> security fix and I am waiting for your green light.. Fixing #770009
> help buildd but is not a security fix (but nevertheless it will help
> the infrastructure).
Thanks for your help, however, all the issues fixed by this update are marked
"no-dsa" in the security tracker [0] for being of minor impact, so we won't
release a DSA for them alone (feel free to comment if you disagree).
As far as wheezy (oldstable) is concerned, there is the matter of #773834
(which is not marked no-dsa), so if you decide to prepare a wheezy-security
upload fixing those issues, you can include the no-dsa fixes as well.
Given that you already prepared the package for jessie, it should be released
through stable-proposed-updates instead, as explained at [1] (so the release
team will handle this). You'll only need to change the target distribution and
open a bug report against release.debian.org (just follow the "reportbug"
instructions).
>* Fix four security bugs:
> - A DOS on specially crafted MIFF file (TEMP-000-FDAC72).
> - A DOS on specially crafted Vicar file (TEMP-000-EEF23C).
> - A DOS on specially crafted HDR file (TEMP-000-7C079F).
> - A DOs on specially crafted PDB file (TEMP-000-2FC21E).
Please don't mention the "TEMP-" IDs in the changelog, since, as the prefix
suggests, they are only temporary and may change in the future. Proper CVE IDs
were requested for these issues a few months ago [2], but apparently they
haven't been assigned yet.
Again, thanks for your work.
Cheers
[0] https://security-tracker.debian.org/tracker/source-package/imagemagick
[1]
https://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable
[2] http://www.openwall.com/lists/oss-security/2015/02/26/13
signature.asc
Description: Digital signature
