librist: bump required version to 0.2.15

Sergio Ammirata via ffmpeg-devel Sun, 17 May 2026 17:04:03 -0700

libRIST 0.2.15 was released as a security update with fixes that affect
the RIST protocol path:


  - PSK: prevent an attacker-chosen nonce from resetting the
    bad-packet lockout counter.
  - PSK: fail closed when PBKDF2 setup fails on the mbedTLS path.
  - SRP: drop the sub-1024-bit RFC 5054 groups (NG_512, NG_768) from
    the accepted set; bound A and B operand sizes against N; bound
    salt/verifier allocations.
  - EAP: drop peers that exhaust the authentication retry budget
    instead of leaving them in a half-authenticated state.
  - CSPRNG: refuse to silently downgrade to a weak entropy source
    when seeding fails, and on Windows seed via BCryptGenRandom so
    that mbedTLS-backed builds work in sandboxed / hardened
    environments where the legacy CryptoAPI is unavailable.
  - flow: bound receiver flow count and harden multi-peer growth
    paths against a remote-triggered UAF.

Existing FFmpeg behaviour is unchanged; the bump simply requires
distributions to ship a current libRIST.
---
 configure | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configure b/configure
index 730b4ac46d..f17ae9b095 100755
--- a/configure
+++ b/configure
@@ -7436,7 +7436,7 @@ enabled libqrencode       && require_pkg_config 
libqrencode libqrencode qrencode
 enabled libquirc          && require libquirc quirc.h quirc_decode -lquirc
 enabled librabbitmq       && require_pkg_config librabbitmq "librabbitmq >= 
0.7.1" amqp.h amqp_new_connection
 enabled librav1e          && require_pkg_config librav1e "rav1e >= 0.5.0" 
rav1e.h rav1e_context_new
-enabled librist           && require_pkg_config librist "librist >= 0.2.7" 
librist/librist.h rist_receiver_create
+enabled librist           && require_pkg_config librist "librist >= 0.2.15" 
librist/librist.h rist_receiver_create
 enabled librsvg           && require_pkg_config librsvg librsvg-2.0 
librsvg-2.0/librsvg/rsvg.h rsvg_handle_new_from_data
 enabled librtmp           && require_pkg_config librtmp librtmp librtmp/rtmp.h 
RTMP_Socket
 enabled librubberband     && require_pkg_config librubberband "rubberband >= 
1.8.1" rubberband/rubberband-c.h rubberband_new -lstdc++ && append 
librubberband_extralibs "-lstdc++"
-- 
2.45.1

_______________________________________________
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

[FFmpeg-devel] [PATCH 1/2] avformat/librist: bump required version to 0.2.15

Reply via email to