[Git][security-tracker-team/security-tracker][master] 2 commits: data/dla-needed.txt: Add more <date> fields to the notes.

[Mike Gabriel]

Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker


Commits:
3ea39e95 by Mike Gabriel at 2018-11-30T19:15:06Z
data/dla-needed.txt: Add more <date> fields to the notes.

- - - - -
b92d281f by Mike Gabriel at 2018-11-30T19:17:32Z
[libav LTS triaging] data/CVE/list: Add ffmpeg upstream commit that fixes CVE-2015-6761 for jessie.

 - reproducing the issue though failed with chromium 57.0.2987.98-1~deb8u1
   (this result was expected due to newer ffmpeg shipped in chromium)
 - reproducing the issue failed with VLC (linked against jessie's libav)git show

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -144321,7 +144321,7 @@ CVE-2015-6761 (The update_dimensions function in libavcodec/vp8.c in FFmpeg thro
 	{DSA-3376-1}
 	- ffmpeg 7:2.8.1-1
 	[squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS)
-	- libav <undetermined>
+	- libav <removed>
 	[wheezy] - libav <not-affected> (Vulnerable code not present)
 	- chromium-browser 44.0.2403.157-1
 	[wheezy] - chromium-browser <end-of-life>
@@ -144330,6 +144330,7 @@ CVE-2015-6761 (The update_dimensions function in libavcodec/vp8.c in FFmpeg thro
 	NOTE: https://code.google.com/p/chromium/issues/detail?id=532967
 	NOTE: Starting with 44.0.2403.157-1 chromium uses the ffmpeg system copy
 	NOTE: It looks like this relates to multithreaded decoding of VPx codecs, which is not implemented in the squeeze version. But I'm not sure as the second bug report is still private.
+	NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=dabea74d0e82ea80cd344f630497cafcb3ef872c
 CVE-2015-6760 (The Image11::map function in renderer/d3d/d3d11/Image11.cpp in ...)
 	{DSA-3376-1}
 	- chromium-browser 46.0.2490.71-1


=====================================
data/dla-needed.txt
=====================================
@@ -22,10 +22,11 @@ libapache-mod-jk (Roberto C. Sánchez)
 --
 libav (Markus Koschany, Mike Gabriel)
   NOTE: 20181129: More than one contributor can work on libav at the same time.
-  NOTE: First priority should be to find more information about the
-  NOTE: "undetermined" issues. Then we can decide what CVE should be fixed ASAP.
-  NOTE: Adding my self as co-worker. Coordination of CVEs to be worked on: IRC
-  NOTE: #debian-lts.
+  NOTE: 20181129: First priority should be to find more information about the
+  NOTE: 20181129: "undetermined" issues. Then we can decide what CVE should be fixed ASAP.
+  NOTE: 20181130: Adding my self as co-worker. Coordination of CVEs to be worked on: IRC
+  NOTE: 20181130: #debian-lts.
+  NOTE: 20181130: CVE-2015-6761: patch available, issue non-reproducible, vulnerable (for now)
 --
 libsndfile (Hugo Lefeuvre)
   NOTE: 20181123: CVE-2018-19432 minor but several older CVEs triaged no-dsa (such as CVE-2017-8361)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/4489a3c51d34eb68538d7628e6bea014df1c50c5...b92d281fa85ae6bfe3c6bed90ca71714d5265029

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/4489a3c51d34eb68538d7628e6bea014df1c50c5...b92d281fa85ae6bfe3c6bed90ca71714d5265029
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20181130/bc67dbc7/attachment-0001.html>