On Thu, Jan 06, 2022 at 13:12:51 +0000, FFmpeg user discussions wrote: > I am currently a data scientist at USAA. I was trying to use FFMPEG 4.4.1 to > convert spex audio files to wav audio format. > > My security team denied the download of the package, and here is the > following explanation that they gave: > DOWNLOAD DENIED: Muliple known vulnerabilities like CVE-2021-38171 > I was wondering how I can get this fixed or if it is already fixed in a later > version?
The fix is mentioned in the CVE (https://nvd.nist.gov/vuln/detail/CVE-2021-38171): https://github.com/FFmpeg/FFmpeg/commit/9ffa49496d1aae4cbbb387aac28a9e061a6ab0a6 It was ported to the 4.4 branch here: https://github.com/FFmpeg/FFmpeg/commit/fb993619d1035fa9646506925ea70fb122038999 and that is contained in release 4.4.1, as far as I can tell (by "git tag --contains fb993619d1035fa9646506925ea70fb122038999"). So the CVE refers to version 4.4, and version 4.4.1 fixes this and is therefore not affected, AFAICT. You'll have to have your security team check 4.4.1. You may need to check each CVE separately (they mention "multiple known vulnerabilities"). If in doubt, disable the affected feature (as in this case: the ADTS muxer). Hope this helps, Moritz _______________________________________________ ffmpeg-user mailing list [email protected] https://ffmpeg.org/mailman/listinfo/ffmpeg-user To unsubscribe, visit link above, or email [email protected] with subject "unsubscribe".
