On 2/21/26 17:38, Lyndon Brown wrote:
Package: libvpx11
Version: 1.15.2-2
Severity: grave
Dear maintainer, thank you for promptly updating libvpx12 to address
the recent high-profile security vulnerability (CVE-2026-2447).
However, I'm concerned about libvpx11. This exists alongside libvpx12
in the Sid archive and does not appear to have had any vulnerability
fixes backported to it yet.
It is currently depended upon by:
- libavcodec61
- libavcodec-extra61
- libmediastreamer2-14
- utox
And thus transitively by the likes of blender, handbrake, kodi, and
linphone.
It is unfortunate that the security tracker gives a false suggestion
that Sid is fully patched, when in fact only libvpx12 and presumably
the source package are patched, but not libvpx11.
Hm, I'd say that the packages with rdeps of libvpx11 simply need a
binNMU, but I'm not sure that kodi in particular with be able to be
rebuilt in sid..
