Your message dated Sat, 21 Feb 2026 23:53:41 +0100
with message-id <[email protected]>
and subject line Re: Bug#1128624: [ffmpeg] vulnerable to CVE-2026-2447
has caused the Debian Bug report #1128624,
regarding [ffmpeg] vulnerable to CVE-2026-2447
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1128624: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128624
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ffmpeg
Version: 7:8.0.1-3
Severity: grave
Dear maintainer, you may be aware of the recent high-profile security
vulnerability patched in libvpx (CVE-2026-2447).
Please be aware that while libvpx12 in the Sid archive is patched for
this, libvpx11 is not, and ffmpeg libraries libavcodec61 and
libavcodec-extra61 depend upon libvpx11 not libvpx12.
This leaves users of the likes of ffmpeg, blender, handbrake, kodi, and
linphone potentially vulnerable.
I've filed a bug against libvpx11 itself (#1128623). Hopefully its
maintainer will backport patches. Otherwise please can you look at
patching ffmpeg to use libvpx12.
--- End Message ---
--- Begin Message ---
On 2026-02-21 22:47:26 +0000, Lyndon Brown wrote:
> Source: ffmpeg
> Version: 7:8.0.1-3
> Severity: grave
>
> Dear maintainer, you may be aware of the recent high-profile security
> vulnerability patched in libvpx (CVE-2026-2447).
>
> Please be aware that while libvpx12 in the Sid archive is patched for
> this, libvpx11 is not, and ffmpeg libraries libavcodec61 and
> libavcodec-extra61 depend upon libvpx11 not libvpx12.
libavcodec61 and libavcodec-extra61 are cruft packages from ffmpeg
7.0.x.
> This leaves users of the likes of ffmpeg, blender, handbrake, kodi, and
> linphone potentially vulnerable.
See the open FTBFS bugs of handbrake, kodi, and others. There is nothing
in ffmpeg that can be done to fix those.
> I've filed a bug against libvpx11 itself (#1128623). Hopefully its
> maintainer will backport patches. Otherwise please can you look at
> patching ffmpeg to use libvpx12.
ffmpeg is already using libvpx12. Closing.
Cheers
--
Sebastian Ramacher
--- End Message ---
