Your message dated Thu, 19 Feb 2026 20:36:52 +0000
with message-id <[email protected]>
and subject line Bug#1128283: fixed in libvpx 1.16.0-3
has caused the Debian Bug report #1128283,
regarding libvpx: CVE-2026-2447
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1128283: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128283
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libvpx
Version: 1.16.0-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libvpx.
CVE-2026-2447[0]:
| Heap buffer overflow in libvpx. This vulnerability affects Firefox <
| 147.0.4, Firefox ESR < 140.7.1, Firefox ESR < 115.32.1, Thunderbird
| < 140.7.2, and Thunderbird < 147.0.2.
This corresponds to [1] and [2] and Google Chrome covered it in
CVE-2026-1861.
Probably libvpx should get a CVE on it's own, but I'm not 100% certain
about the ruling here, as Mozilla and Google used a separate CVE for
their use of libvpx in their products.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-2447
https://www.cve.org/CVERecord?id=CVE-2026-2447
[1] https://issues.oss-fuzz.com/issues/476466137
[2]
https://chromium.googlesource.com/webm/libvpx/+/d5f35ac8d93cba7f7a3f7ddb8f9dc8bd28f785e1
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libvpx
Source-Version: 1.16.0-3
Done: Sebastian Ramacher <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libvpx, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Ramacher <[email protected]> (supplier of updated libvpx package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 19 Feb 2026 21:23:04 +0100
Source: libvpx
Architecture: source
Version: 1.16.0-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <[email protected]>
Changed-By: Sebastian Ramacher <[email protected]>
Closes: 1128283
Changes:
libvpx (1.16.0-3) unstable; urgency=medium
.
* debian/patches: Apply upstream patch for CVE-2026-2447 (Closes: #1128283)
Checksums-Sha1:
4d2e3da276c27d395a8ff17200376543bb25271d 1719 libvpx_1.16.0-3.dsc
0015cec7431065026b50cbeed9eb928b5e2c40a4 14804 libvpx_1.16.0-3.debian.tar.xz
b24fc9a55cfa64cdd188a25863b5ea6b201a02ad 6862 libvpx_1.16.0-3_amd64.buildinfo
Checksums-Sha256:
a6fad12dd11a8123ee5dbe7573731a7ab1014b556f14522c1b0ca36481c2107e 1719
libvpx_1.16.0-3.dsc
897e880f51a65f66fcb0678d433fae693c77692b828470c39070668001c4dfbc 14804
libvpx_1.16.0-3.debian.tar.xz
7bd99d17bb5fc179746c01fb5ce4bf12c2f753f2d8e9b61c4400301cefe71cbb 6862
libvpx_1.16.0-3_amd64.buildinfo
Files:
41a5f7f20627ec3c915b9e8882b15bf3 1719 video optional libvpx_1.16.0-3.dsc
f7b2cd1439325169f22d11c202ab1d79 14804 video optional
libvpx_1.16.0-3.debian.tar.xz
e92820fbf69a6e0a13e79c1731db625f 6862 video optional
libvpx_1.16.0-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
wrwEARYKAG8FgmmXcdoJECGTazZgD82JRxQAAAAAAB4AIHNhbHRAbm90YXRpb25z
LnNlcXVvaWEtcGdwLm9yZ7j/K/CCiooRHfoMmNhjjU+cta1gbEgHPpc9itIhQbFh
FiEEQmJ+hB2ZZ9qD4fqQIZNrNmAPzYkAAPwsAPjyMDrS9SGfNkGEqlFMs6SspQiC
guIS3kS3MmgbIRZPAQD5owzmik5r1ZfSDK7TyDPi0L7PbYF9CbJdHgO5wjtQCA==
=vZSl
-----END PGP SIGNATURE-----
pgp49Wkp8boyf.pgp
Description: PGP signature
--- End Message ---
