Opened 2 years ago

Last modified 2 months ago

#16962 new enhancement

ImageMagick (Update before next release)

Reported by: Bruce Dubbs Owned by: blfs-book
Priority: normal Milestone: pre-release
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

New version.

Change History (9)

comment:1 by ken@…, 21 months ago

Owner: changed from blfs-book to ken@…

Current is 7.1.0-61 from Sunday. Changelog at https://github.com/ImageMagick/Website/blob/main/ChangeLog.md - seems to just be bugfixes since 7.1.0-49.

comment:2 by ken@…, 21 months ago

Owner: changed from ken@… to blfs-book
Summary: ImageMagick-7.1.0-47 (Update before next release)ImageMagick (Update before next release)

Updated to 7.1.0-61 in b26ff3c85d3f6abd0a28de2bf38ebc3c63e3abae 11.2-1073

comment:3 by ken@…, 16 months ago

I've seen a few mentions of ImageMagick CVEs recently, but it is hard to get a rliable source. Yesterday I found https://www.cvedetails.com/vulnerability-list/vendor_id-1749/Imagemagick.html which is not-exactly reliable (as with other sites, a mix of IM-6.9 and IM-7.0+), and the item marked there as Critical appears to be invalid (not a default option), working as defined. Hovever, some items are valid for 7.0+. Will raise a ticket.

for the future, ChangeLog is now at https://github.com/ImageMagick/Website/blob/main/ChangeLog.md

comment:4 by Bruce Dubbs, 14 months ago

Updating to 7.1.1-15

comment:5 by Bruce Dubbs, 13 months ago

Milestone: holdpre-release

comment:6 by ken@…, 8 months ago

Owner: changed from blfs-book to ken@…
Status: newassigned

Latest version is now 7.1.1-28 from 11th February.

changes are listed at the ChangeLog.md link above. There are links to GHSA security advisories for 7.1.1-24 for corrupt DejaVu images and to test if meta channels exceed max, but the links are dead and no advisories are listed after 7.1.1-13.

It appears ImageMagick is now its own CVE Numbering Authority (CNA) - there were commits in 7.1.1-16 to update SECURITY.md.

Nevertheless, Mitre has recorded a few CVEs raised by RedHat, of which one applies to ImageMagick after 7.1.1-15:

CVE-2023-5341 A heap use-after-free flaw was found in coders/bmp.c Medium - fix is in 7.1.1-19

There were some other CVEs raised by RedHat, but no links to commits at ImageMagick, so perhaps disputed.

I'll take a look at 7.1.1-28

comment:7 by ken@…, 8 months ago

Updates completed in a series of three commits ending in sha:r12.0-1559-g2864283c1e

comment:8 by ken@…, 8 months ago

Owner: changed from ken@… to blfs-book
Status: assignednew

Security Advisory SA-12.0-099 created.

comment:9 by Douglas R. Reno, 2 months ago

For BLFS 12.2, see Ticket #20222

Note: See TracTickets for help on using tickets.