[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: wheezy update for libav

Hopefully I collected all the right CCs, if just Debian LTS is enough
please tell me, sorry for duplicate emails..

On Mon, Sep 12, 2016 at 10:22:29AM +0200, Markus Koschany wrote:
> On 12.09.2016 00:46, Bálint Réczey wrote:
> > 2016-09-12 0:18 GMT+02:00 Hugo Lefeuvre <hle@debian.org>:
> >> I'd like to prepare an LTS upload for libav[0]. The upstream patch for
> >> CVE-2016-7393 is very simple and could be grouped with patches from older
> >> analogous CVEs like CVE-2015-8662 in a broad LTS upload.
> >>
> >> Does anybody think it's a bad idea ? These CVEs are minor security
> >> issues, so we could also mark them as no-dsa.
> > 
> > Libav is special because we agreed to work with Diego Biurrun and Markus
> > is his LTS connection:
> > https://lists.debian.org/debian-lts/2016/08/msg00160.html
> > 
> > I would wait for Markus' answer before preparing the update.
> I agree that we should prepare an LTS upload for libav in the near
> future now.
> Diego, could you brief us on the status of your work in progress please?

I'm dreadfully overworked still and not making as much progress as I
hoped so far.

This morning I pushed a fix for CVE-2016-7393 to the libav 0.8 branch.
You can cross that one off your list.

I'm looking at the list of issues as I write this; more fixes should be

> I'm counting 22 open CVEs for libav at the moment. Which of them do you
> intend to address with your fixes? Do you mind working together with
> Hugo Lefeuvre on some issues? I could imagine you both could pool your
> resources together.



Attachment: signature.asc
Description: Digital signature

Reply to: