Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits: dfb1e7f5 by Carlos Henrique Lima Melara at 2026-02-08T15:16:52-03:00 Update CVE-2023-6601/ffmpeg triaging, bookworm and bullseye affected Initially the vulnerability was marked as fixed by 91d96dc, but upstream marked d09f50c as fixing it [1]. After going through the description and reproducer, d09f50c indeed fix the CVE. This commit was never cherry-picked in upstream patch releases of 5.1 or 4.3, so both bookworm and bullseye are vulnerable. [1] https://www.ffmpeg.org/security.html - - - - - 4a41a11e by Salvatore Bonaccorso at 2026-02-08T20:47:26+01:00 Merge branch 'update-ffmpeg-triaging' into 'master' Update CVE-2023-6601/ffmpeg triaging, bookworm and bullseye affected See merge request security-tracker-team/security-tracker!264 - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/DSA/list Changes: ===================================== data/CVE/list ===================================== @@ -138296,12 +138296,11 @@ CVE-2023-6604 (A flaw was found in FFmpeg. This vulnerability allows unexpected NOTE: Fixed by: https://github.com/FFmpeg/FFmpeg/commit/b753bac08f6881b2d3dea8f1ab84c81550f35897 (n7.1.1) NOTE: Fixed by: https://github.com/FFmpeg/FFmpeg/commit/9803800e0e8cd8e1e7695f77cfbf4e0db0abfe57 (n5.1.7) CVE-2023-6601 (A flaw was found in FFmpeg's HLS demuxer. This vulnerability allows by ...) - {DSA-5985-1 DLA-4241-1} - - ffmpeg 7:7.1.1-1 + - ffmpeg 7:6.1-1 + [bookworm] - ffmpeg <postponed> (Minor issue, wait until it's fixed in the 5.1 branch) + [bullseye] - ffmpeg <postponed> (Minor issue, wait until it's fixed in the 4.3 branch) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2253172 - NOTE: Fixed by: https://github.com/FFmpeg/FFmpeg/commit/91d96dc8ddaebe0b6cb393f672085e6bfaf15a31 (master) - NOTE: Fixed by: https://github.com/FFmpeg/FFmpeg/commit/b753bac08f6881b2d3dea8f1ab84c81550f35897 (n7.1.1) - NOTE: Fixed by: https://github.com/FFmpeg/FFmpeg/commit/9803800e0e8cd8e1e7695f77cfbf4e0db0abfe57 (n5.1.7) + NOTE: Fixed by: https://github.com/FFmpeg/FFmpeg/commit/d09f50c0f5f045dec35f0ca22c2212fae2378dba (n6.1) CVE-2024-56769 (In the Linux kernel, the following vulnerability has been resolved: m ...) {DLA-4076-1 DLA-4075-1} - linux 6.12.8-1 ===================================== data/DLA/list ===================================== @@ -705,7 +705,7 @@ {CVE-2022-25844 CVE-2023-26116 CVE-2023-26117 CVE-2023-26118 CVE-2024-8372 CVE-2024-8373 CVE-2024-21490 CVE-2025-0716 CVE-2025-2336} [bullseye] - angular.js 1.8.3-1+deb12u1~deb11u1 [14 Jul 2025] DLA-4241-1 ffmpeg - security update - {CVE-2023-6601 CVE-2023-6602 CVE-2023-6604 CVE-2023-6605} + {CVE-2023-6602 CVE-2023-6604 CVE-2023-6605} [bullseye] - ffmpeg 7:4.3.9-0+deb11u1 [12 Jul 2025] DLA-4240-1 redis - security update {CVE-2025-32023 CVE-2025-48367} ===================================== data/DSA/list ===================================== @@ -517,7 +517,7 @@ [bookworm] - node-cipher-base 1.0.4-6+deb12u1 [trixie] - node-cipher-base 1.0.4-6+deb13u1 [25 Aug 2025] DSA-5985-1 ffmpeg - security update - {CVE-2023-49502 CVE-2023-50007 CVE-2023-50008 CVE-2024-31582 CVE-2024-35367 CVE-2024-35368 CVE-2025-0518 CVE-2025-7700 CVE-2025-22919 CVE-2023-6605 CVE-2023-6602 CVE-2023-6604 CVE-2023-6601 CVE-2025-59731 CVE-2025-59732 CVE-2025-59733 CVE-2025-9951} + {CVE-2023-49502 CVE-2023-50007 CVE-2023-50008 CVE-2024-31582 CVE-2024-35367 CVE-2024-35368 CVE-2025-0518 CVE-2025-7700 CVE-2025-22919 CVE-2023-6605 CVE-2023-6602 CVE-2023-6604 CVE-2025-59731 CVE-2025-59732 CVE-2025-59733 CVE-2025-9951} [bookworm] - ffmpeg 7:5.1.7-0+deb12u1 [24 Aug 2025] DSA-5984-1 thunderbird - security update {CVE-2025-9179 CVE-2025-9180 CVE-2025-9181 CVE-2025-9185} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8603934fb700b0c92345820491e96b920c452f0c...4a41a11e45fb1fa28f2c752bfbcb05f308c880d9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8603934fb700b0c92345820491e96b920c452f0c...4a41a11e45fb1fa28f2c752bfbcb05f308c880d9 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
