[SECURITY] [DLA 4241-1] ffmpeg security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4241-1] ffmpeg security update
From: Adrian Bunk <bunk@debian.org>
Date: Mon, 14 Jul 2025 15:20:05 +0300
Message-id: <[🔎] aHT19aA9FzrXGxIg@localhost>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4241-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                          Adrian Bunk
July 14, 2025                                 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : ffmpeg
Version        : 7:4.3.9-0+deb11u1
CVE ID         : CVE-2023-6601 CVE-2023-6602 CVE-2023-6604 CVE-2023-6605

Multiple vulnerabilities have been fixed in the multimedia framework FFmpeg.

CVE-2023-6601

    Triggering arbitrary demuxers via base64 data URIs

CVE-2023-6602

    Improper parsing of input files in HLS playlists

CVE-2023-6604

    Demuxing of arbitrary data as XBIN-formatted data

CVE-2023-6605

    Arbitrary HTTP GET requests via crafted DASH playlist

For Debian 11 bullseye, these problems have been fixed in version
7:4.3.9-0+deb11u1.

We recommend that you upgrade your ffmpeg packages.

For the detailed security status of ffmpeg please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ffmpeg

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmh09fIACgkQiNJCh6LY
mLGZ+Q/7BoiWbJA0FbJ6Q0Faditd14nGE73yXgHAA8Hw29U+rFPG/hwZNcJRK7UI
NaM0PcOXAJL9fvAqQtdTiVXQNTFs/uaVTQavLlfqG3AjWSCCA/3+Od+j/Dy/4JCQ
EDs5yIhBBPcifTIhzsH5rjrVmtTYy11sMn3hV4CpqsZUsrzICz1aMe1wRXJBajtX
v+daY00mQZDgygJ3po1XICBW0axA8G6rnxQiLFJog73blWRGJrEOhQcjKPGcr60y
ourgttqInycbdPZc9ydwZ2n9PGefD50lWR0fvSjasL7Qyp3BfxeV7dCO1427WX4r
gJOivIGVBiYBgjQbRAGZ3MExtDuRtqisPZ61ZXm6gZkBKG5HzfzZu/+iWReI1dqL
liEFc+FqCi6FSFJ9WgcE1xXpHZF5mN7TVubaONeKz3Tdn3C48j/Nm7keBYu+60xS
JXBSE0OarXjRPN68SCI3CmIaDqEScgilLHaADCM81qfqI0Tzaz9X+PI63SfCa7jj
F8t2l26kBbV4FYZMM1qSDK49sCrUagNoa58LIhRYjV3V+7lRfBUfsCMfOrS3N4Tl
XltLH1LImlzcEWyc4nYJ28vsVh2SFlZgzKA9BruxkFrWqCS4Y0wlpci6/Pi9/tYa
evykOECo0xVO/hrqatZXXu/y0JZFGWuUr5PlDcXbFopACQ02lQ8=
=Zq3u
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 4240-1] redis security update
Next by Date: [SECURITY] [DLA 4242-1] angular.js security update
Previous by thread: [SECURITY] [DLA 4240-1] redis security update
Next by thread: [SECURITY] [DLA 4242-1] angular.js security update
Index(es):
- Date
- Thread