On 2026-02-21 17:49:18 -0500, Andres Salomon wrote: > On 2/21/26 17:38, Lyndon Brown wrote: > > Package: libvpx11 > > Version: 1.15.2-2 > > Severity: grave > > > > Dear maintainer, thank you for promptly updating libvpx12 to address > > the recent high-profile security vulnerability (CVE-2026-2447). > > > > However, I'm concerned about libvpx11. This exists alongside libvpx12 > > in the Sid archive and does not appear to have had any vulnerability > > fixes backported to it yet. > > > > It is currently depended upon by: > > - libavcodec61 > > - libavcodec-extra61 > > - libmediastreamer2-14 > > - utox > > > > And thus transitively by the likes of blender, handbrake, kodi, and > > linphone. > > > > It is unfortunate that the security tracker gives a false suggestion > > that Sid is fully patched, when in fact only libvpx12 and presumably > > the source package are patched, but not libvpx11. > > > Hm, I'd say that the packages with rdeps of libvpx11 simply need a binNMU, > but I'm not sure that kodi in particular with be able to be rebuilt in sid..
Packages that still depend on libvpx11 FTBS against ffmpeg 8.0. A binNMU won't be possible. Cheers -- Sebastian Ramacher
