On Tue, Oct 25, 2016 at 10:38:04AM +0200, Hugo Lefeuvre wrote: > > > However, more than 15 CVEs are still affecting libav in Debian wheezy. > > > Would it be feasible to work on a new point release fixing some of > > > them ? > > > > Yes, I plan to and will after I'm back from a short trip to SF after the > > 16th. > > New security issues potentially affecting libav 0.8 have been reported since > the beginning of the month[0]. > > Could you briefly summarize us the status of your work on the 0.8 branch ? I looked into backporting the fixes for https://lists.debian.org/debian-lts/2016/09/msg00211.html that the Mozilla people complained about from the 9 release branch to the 0.8 release branch. It's entirely nontrivial since the commits that fix the issue constitute a major refactoring. I'm about halfway into the process and my intermediate result is failing many tests. It's unclear to me at this point if the resulat is worth the trouble :-/ > Let me know if I can speed up the process by preparing patches. If yes, please, > mention the issues you are currently working on, so we avoid duplicate work. > > [0] https://security-tracker.debian.org/tracker/source-package/libav CVE-2016-7424: I cannot reproduce the crash with 0.8, so Wheezy should not have a problem. CVE-2016-8675 / CVE-2016-8676 I can reproduce the crash with 0.8 and 11 so both Wheezy and Jessie are affected. Diego
Attachment:
signature.asc
Description: Digital signature