[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: wheezy update for libav

On Tue, Sep 13, 2016 at 03:14:41PM +0200, Markus Koschany wrote:
> On 13.09.2016 15:00, Diego Biurrun wrote:
> > On Mon, Sep 12, 2016 at 12:52:32PM +0200, Hugo Lefeuvre wrote:
> >>> I'm counting 22 open CVEs for libav at the moment. Which of them do you
> >>> intend to address with your fixes? Do you mind working together with
> >>> Hugo Lefeuvre on some issues? I could imagine you both could pool your
> >>> resources together.
> >>
> >> (24 if we count the two issues marked no-dsa by the security team)
> >>
> >> Some CVE triage:
> >>
> >> Upstream patch applies directly, or almost:
> >>  CVE-2015-5479
> >>
> >> Upstream patch needs some (heavy) adaptations:
> >>  CVE-2015-1872 
> > 
> > I have already pushed fixes for these two CVEs to the 0.8 branch in
> > July.  I think I notified you, not sure if you put out a new Debian
> > release that includes the fixes.
> I assume by 0.8 branch you are referring to the upstream repository.

I'm referring to the 0.8 branch in the official Libav repository:


> I think it would be easier if you sent the patches to this list or you
> created a new git repository based on Debian's version in Wheezy with
> your patches applied. This would simplify the process to review your work.
> I think you are in the best position to determine what patches should go
> into a new security release. In general we want to fix all open issues.
> We don't necessarily need to fix all at once but having to do several
> small releases, which might be disruptive for users, should be avoided
> if possible.

What's the problem with cooperating through the upstream repository? You
can grab all patches from there, they apply directly to the packaged
sources as well. I also plan to make a new 0.8 release once enough fixes
have accumulated. You can use that as base for your next Debian release.

> In short we need:
> a) the single patches rebased against the current version in Wheezy or a
> Git repository for the same purpose


> b) a concrete statement what patches and how many should go into the
> next security update

All commits in the above branch, which will also appear in the next 0.8

> c) a deadline
> Provided we can clarify a) and b) soon, would it be doable to release a
> new security update at the end of September?

The end of September sounds good to me, I can roll a new release then.

> P.S.: Sending mails to the list should be sufficient because every team
> member is subscribed to it.

OK, only sending to the list now.


Attachment: signature.asc
Description: Digital signature

Reply to: