[Git][security-tracker-team/security-tracker][master] Reserve DLA-2021-1 for libav

Sylvain Beucler beuc at debian.org
Thu Dec 5 17:54:05 GMT 2019 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
bb4194c2 by Sylvain Beucler at 2019-12-05T17:53:56Z
Reserve DLA-2021-1 for libav

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[05 Dec 2019] DLA-2021-1 libav - security update
+	{CVE-2017-17127 CVE-2017-18245 CVE-2018-19128 CVE-2018-19130 CVE-2019-14443 CVE-2019-17542}
+	[jessie] - libav 6:11.12-1~deb8u9
 [04 Dec 2019] DLA-2020-1 libonig - security update
 	{CVE-2019-19012 CVE-2019-19204 CVE-2019-19246}
 	[jessie] - libonig 5.9.5-3.2+deb8u4


=====================================
data/dla-needed.txt
=====================================
@@ -35,19 +35,6 @@ jackson-databind
 jhead (Adrian Bunk)
   NOTE: 20191118: No patch available, yet.
 --
-libav (Sylvain Beucler)
-  NOTE: 20190831: There are currently 19 CVE issues known for libav in jessie,
-  NOTE: 20190831: 11 tagged as <no-dsa>. These issues have been triaged, no patch
-  NOTE: 20190831: has been found, so far. If you pick libav, be prepared to work
-  NOTE: 20190831: out what these patches might be.
-  NOTE: 20190831: What helps... Most issues have been resolved in ffmpeg, but
-  NOTE: 20190831: have not been referenced as such. The upstream bug reports
-  NOTE: 20190831: for libav have often been debugged very accurately, so that it is
-  NOTE: 20190831: possible to derive from the libav bug report which ffmpeg commit
-  NOTE: 20190831: might fix the issue. Furthermore, most libav bugs have PoCs,
-  NOTE: 20190831: so there is something one can test with and see if the fix worked.
-  NOTE: 20191123: Triaging new vulnerabilities, cross-referencing with ffmpeg, updating MITRE (Beuc)
---
 libexif
   NOTE: 20191111: Contacted upstream for relevant commits of CVE-2019-9278. (utkarsh2102)
   NOTE: 20191114: Pinged upstream; just have the Android patch yet. (utkarsh2102)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bb4194c2be9e81c8dfe61a7cf0262a23fe5e3764

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bb4194c2be9e81c8dfe61a7cf0262a23fe5e3764
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20191205/88929ae4/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list