Re: Wheezy update of vorbis-tools for CVE-2015-6749
> yes, any LTS upload needs a DLA after the package arrives in the
> archive. The security tracker contains a script (bin/gen-DLA) that
> creates a template for such a DLA, you just have to fill in some
> description. If you don't want to do this, don't hesitate to inform
> the LTS team and somebody else will do the bookkeeping.
Thank you. I'm building and testing in wheezy at the moment, and will
upload when I am done. I would be very happy if someone else took the
> While you are at it, there are also CVE-2014-9640 and CVE-2014-9639, which
> can be seen in.
Ah, good point. The changelog in git look like this now:
vorbis-tools (1.4.0-1+deb7u1) wheezy-security; urgency=medium
* oggenc: Fix large alloca on bad AIFF input to oggenc (CVE-2015-6749)
* oggenc: Validate count of channels in the header (CVE-2014-9638, CVE-2014-9639).
* Fix oggenc crash on closing raw input files by backporting r19117 from upstream
(CVE-2014-9640) (Closes: #771363).
-- Petter Reinholdtsen <firstname.lastname@example.org> Sun, 02 Jul 2017 20:53:04 +0200