[Bug 1647226] Re: FFmpeg security fixes December 2016 (xenial)

2016-12-10 Thread Mathew Hodson
zesty has 3.2.2, which has fixes for the listed CVEs. ** Changed in: ffmpeg (Ubuntu) Status: Invalid => Fix Released ** No longer affects: ffmpeg (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1647226] Re: FFmpeg security fixes December 2016 (xenial)

2016-12-10 Thread Mathew Hodson
** Changed in: ffmpeg (Ubuntu Xenial) Importance: Undecided => Low ** Changed in: ffmpeg (Ubuntu) Importance: Undecided => Low -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1647226 Title:

[Bug 1647226] Re: FFmpeg security fixes December 2016 (xenial)

2016-12-10 Thread Andreas Cadhalpun
Debdiff mentioning the CVEs in the changelog is attached. ** Patch added: "debdiff for 2.8.10" https://bugs.launchpad.net/ubuntu/+source/ffmpeg/+bug/1647226/+attachment/4790034/+files/ffmpeg_2.8.10.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which

[Bug 1647226] Re: FFmpeg security fixes December 2016 (xenial)

2016-12-10 Thread Mattia Rizzolo
ok, could you add them to the changelog please? (note that I "invalidated" the "devel" task, the xenial task is good; this makes for better view in the sponsoring overview) ** Changed in: ffmpeg (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a

[Bug 1647226] Re: FFmpeg security fixes December 2016 (xenial)

2016-12-10 Thread Andreas Cadhalpun
For 2.8.9 there are now CVEs available [1]: CVE-2016-7502, CVE-2016-7785, CVE-2016-7905, CVE-2016-7562 1: https://ffmpeg.org/security.html ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-7502 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-7562 **

[Bug 1647226] Re: FFmpeg security fixes December 2016 (xenial)

2016-12-10 Thread Andreas Cadhalpun
CVEs aren't available yet, but this fixes important security issues like: https://trac.ffmpeg.org/ticket/5992 https://trac.ffmpeg.org/ticket/5994 ** Bug watch added: FFmpeg Trac bug tracker #5992 https://trac.ffmpeg.org/ticket/5992 ** Bug watch added: FFmpeg Trac bug tracker #5994

[Bug 1647226] Re: FFmpeg security fixes December 2016

2016-12-10 Thread Mattia Rizzolo
** Also affects: ffmpeg (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: ffmpeg (Ubuntu) Status: New => Invalid ** Changed in: ffmpeg (Ubuntu Xenial) Status: New => Triaged ** Summary changed: - FFmpeg security fixes December 2016 + FFmpeg security fixes

[Bug 1647226] Re: FFmpeg security fixes December 2016

2016-12-10 Thread Mattia Rizzolo
This one upload doesn't seem to fix any CVE, why should it go through security over regular SRU? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1647226 Title: FFmpeg security fixes December 2016 To

[Bug 1647226] Re: FFmpeg security fixes December 2016

2016-12-07 Thread Andreas Cadhalpun
There has been another release fixing bugs in network code: version 2.8.10 - avformat/http: Match chunksize checks to master..3.0 - Changelog: fix typos - ffserver: Check chunk size - Avoid using the term "file" and prefer "url" in some docs and comments - avformat/rtmppkt: Check for packet size

[Bug 1647226] Re: FFmpeg security fixes December 2016

2016-12-04 Thread Andreas Cadhalpun
Attached is a debdiff. (git repo is at [1]) Testing performed (in a xenial chroot): * build including test suite works * installation works * upgrade works * autopkgtests pass 1: https://anonscm.debian.org/cgit/pkg- multimedia/ffmpeg.git/log/?h=xenial ** Patch added: "debdiff for 2.8.9"