2018-05-15 22:02 GMT+02:00, Bryan Duff <duff0...@gmail.com>: > Is 2.8.14 up-to-date as far as known security issues (e.g > CVE's) are concerned?
2.8 is still supported and gets security updates: http://ffmpeg.org/download.html Note that nearly no fixed FFmpeg security issue gets a CVE, so CVE's have limited relevance for FFmpeg. > Looking at CVE's for ffmpeg, some will say "3.x.y and before" - does that > mean that they only affect 3.x? If not and they affect 2.8.14, then there > are a decent number that affect 2.8.14 (15 of them?) As said above, the number of CVE's has no relevance here, the number of fixed issues with possible security implications per release is approximately a magnitude bigger than the number of reported CVE's. > For example, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9608 > has commits in the 3.2, 3.3, and master branches, so I'm guessing 2.8 is > not affected. Just trying to make sure. Could you elaborate what you want to know exactly? The issue in question was introduced after 2.8 was released but I wonder why you chose this example: This is a DOS, but valid files can easily be found that cause DOS for libavformat / libavcodec in a given environment, so you have to secure the libraries independently of our code to avoid DOS. Carl Eugen _______________________________________________ ffmpeg-user mailing list ffmpeg-user@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-user To unsubscribe, visit link above, or email ffmpeg-user-requ...@ffmpeg.org with subject "unsubscribe".
