On Sat, Aug 08, 2015 at 09:25:01pm +0200, Bastien ROUCARIES wrote: > Dear security team > > I am looking for a sponsor for my package "imagemagick" about a > security fix and I am waiting for your green light.. Fixing #770009 > help buildd but is not a security fix (but nevertheless it will help > the infrastructure).
Thanks for your help, however, all the issues fixed by this update are marked "no-dsa" in the security tracker [0] for being of minor impact, so we won't release a DSA for them alone (feel free to comment if you disagree). As far as wheezy (oldstable) is concerned, there is the matter of #773834 (which is not marked no-dsa), so if you decide to prepare a wheezy-security upload fixing those issues, you can include the no-dsa fixes as well. Given that you already prepared the package for jessie, it should be released through stable-proposed-updates instead, as explained at [1] (so the release team will handle this). You'll only need to change the target distribution and open a bug report against release.debian.org (just follow the "reportbug" instructions). > * Fix four security bugs: > - A DOS on specially crafted MIFF file (TEMP-0000000-FDAC72). > - A DOS on specially crafted Vicar file (TEMP-0000000-EEF23C). > - A DOS on specially crafted HDR file (TEMP-0000000-7C079F). > - A DOs on specially crafted PDB file (TEMP-0000000-2FC21E). Please don't mention the "TEMP-" IDs in the changelog, since, as the prefix suggests, they are only temporary and may change in the future. Proper CVE IDs were requested for these issues a few months ago [2], but apparently they haven't been assigned yet. Again, thanks for your work. Cheers [0] https://security-tracker.debian.org/tracker/source-package/imagemagick [1] https://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable [2] http://www.openwall.com/lists/oss-security/2015/02/26/13
signature.asc
Description: Digital signature
