[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: wheezy update for libav

On 13.09.2016 15:00, Diego Biurrun wrote:
> On Mon, Sep 12, 2016 at 12:52:32PM +0200, Hugo Lefeuvre wrote:
>>> I'm counting 22 open CVEs for libav at the moment. Which of them do you
>>> intend to address with your fixes? Do you mind working together with
>>> Hugo Lefeuvre on some issues? I could imagine you both could pool your
>>> resources together.
>> (24 if we count the two issues marked no-dsa by the security team)
>> Some CVE triage:
>> Upstream patch applies directly, or almost:
>>  CVE-2015-5479
>> Upstream patch needs some (heavy) adaptations:
>>  CVE-2015-1872 
> I have already pushed fixes for these two CVEs to the 0.8 branch in
> July.  I think I notified you, not sure if you put out a new Debian
> release that includes the fixes.

I assume by 0.8 branch you are referring to the upstream repository. I
think it would be easier if you sent the patches to this list or you
created a new git repository based on Debian's version in Wheezy with
your patches applied. This would simplify the process to review your work.

I think you are in the best position to determine what patches should go
into a new security release. In general we want to fix all open issues.
We don't necessarily need to fix all at once but having to do several
small releases, which might be disruptive for users, should be avoided
if possible.

In short we need:

a) the single patches rebased against the current version in Wheezy or a
Git repository for the same purpose

b) a concrete statement what patches and how many should go into the
next security update

c) a deadline

Provided we can clarify a) and b) soon, would it be doable to release a
new security update at the end of September?

P.S.: Sending mails to the list should be sufficient because every team
member is subscribed to it.



Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: