On 2/23/2025 6:58 PM, Michael Niedermayer wrote:
HiOn Sun, Feb 23, 2025 at 06:45:07PM -0300, James Almer wrote:On 2/23/2025 5:19 PM, Michael Niedermayer wrote:Hi On Sun, Feb 23, 2025 at 12:41:23PM -0300, James Almer wrote:On 2/23/2025 6:12 AM, Michael Niedermayer wrote:Hi On Sun, Feb 23, 2025 at 09:56:35AM +0100, Michael Niedermayer wrote:Hi all Today ffmpeg-security was asked why 5 security fixes are missing in 6.1 and from our security page. These issues where posted publically on trac, and fixed by FFmpeg developers. Then someone seems to have registered CVE #s but not mailed ffmpeg-security I suggest 1. if you fix a security issue or apply a security fix, make sure it is backported to all supported releases 2. if you see a CVE # thats not on the security page, mail ffmpeg-security 3. If you see issues on trac that seem important, please make sure they are fixed and backported, having someone like carl who knew and maintained all issues would be quite usefull4. Someone should cross check https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ffmpeg and our security page and backported fixes and backport missing fixes and fix unfixed issues.Why are there memory leaks with a CVE?a memory leak can be a denial of serviceAlso, CVE-2025-1373 is wrong, it doesn't apply to any release, only git master.please add a entry to our security page stating thatHow? It doesn't apply to any release. It's CVE who should fix their description.you can add "never affected a release" (theres already a similar one)
I see what you mean, like in 4.4. In that case i think the proper way to do this is to add it to the 8.0 entry once that's done.
Also, i consider it a bit premature to make a CVE for an issue that's only present in git master and was fixed immediately after it was reported to us. It wasn't realistically deployed anywhere and only pads the list.The world is unlikely to delete a CVE# completely, but you can try. Some pages will refer to the issue and if its not on our page people will be confused If teh page clearly says CVE-2025-1373 doesnt affect any ffmpeg release thats clear and thats the clarity the page is supposed to provide. thx [...] _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
