On Tue, Jul 13, 2010 at 10:01:13 (EDT), Rémi Denis-Courmont wrote: >> Ping maintainers and debian security team. Indicate the security >> issue, the patch and or new tarball. > > It's not like it's not known: > http://security-tracker.debian.org/tracker/status/release/stable
it lists 4 CVEs: CVE-2010-1441 - 1445, all of them only affecting the 0.8 series and without any details. So this piece of information is pretty useless for identifying missing changes in 0.8.x. A tad more insightful is http://www.videolan.org/security/sa1003.html, which at least mentions: - Heap buffer overflow vulnerability in A/52, DTS and MPEG Audio decoders - Invalid memory access in AVI, ASF, Matroska (MKV) demuxers - Invalid memory access in XSPF playlist parser - Invalid memory access in ZIP archive decompressor - Heap buffer overflow in RTMP access I guess each of them match to the respective CVE number. BTW, this is only half the story you mentioned in the beginning of this thread. > It's more like nobody cares. I dont't think that's accurate. I'd rather guess that there is no one in the distro camp that knows how to match these 5 issues to patches that fix them. -- Gruesse/greetings, Reinhard Tartler, KeyID 945348A4 _______________________________________________ pkg-multimedia-maintainers mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/pkg-multimedia-maintainers
