[Git][security-tracker-team/security-tracker][master] 2 commits: Update CVE-2023-6601/ffmpeg triaging, bookworm and bullseye affected

Salvatore Bonaccorso (@carnil) carnil at debian.org
Sun Feb 8 19:47:34 GMT 2026 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
dfb1e7f5 by Carlos Henrique Lima Melara at 2026-02-08T15:16:52-03:00
Update CVE-2023-6601/ffmpeg triaging, bookworm and bullseye affected

Initially the vulnerability was marked as fixed by 91d96dc, but upstream
marked d09f50c as fixing it [1]. After going through the description and
reproducer, d09f50c indeed fix the CVE. This commit was never
cherry-picked in upstream patch releases of 5.1 or 4.3, so both bookworm
and bullseye are vulnerable.

[1] https://www.ffmpeg.org/security.html

- - - - -
4a41a11e by Salvatore Bonaccorso at 2026-02-08T20:47:26+01:00
Merge branch 'update-ffmpeg-triaging' into 'master'

Update CVE-2023-6601/ffmpeg triaging, bookworm and bullseye affected

See merge request security-tracker-team/security-tracker!264
- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/DSA/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -138296,12 +138296,11 @@ CVE-2023-6604 (A flaw was found in FFmpeg. This vulnerability allows unexpected
 	NOTE: Fixed by: https://github.com/FFmpeg/FFmpeg/commit/b753bac08f6881b2d3dea8f1ab84c81550f35897 (n7.1.1)
 	NOTE: Fixed by: https://github.com/FFmpeg/FFmpeg/commit/9803800e0e8cd8e1e7695f77cfbf4e0db0abfe57 (n5.1.7)
 CVE-2023-6601 (A flaw was found in FFmpeg's HLS demuxer. This vulnerability allows by ...)
-	{DSA-5985-1 DLA-4241-1}
-	- ffmpeg 7:7.1.1-1
+	- ffmpeg 7:6.1-1
+	[bookworm] - ffmpeg <postponed> (Minor issue, wait until it's fixed in the 5.1 branch)
+	[bullseye] - ffmpeg <postponed> (Minor issue, wait until it's fixed in the 4.3 branch)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2253172
-	NOTE: Fixed by: https://github.com/FFmpeg/FFmpeg/commit/91d96dc8ddaebe0b6cb393f672085e6bfaf15a31 (master)
-	NOTE: Fixed by: https://github.com/FFmpeg/FFmpeg/commit/b753bac08f6881b2d3dea8f1ab84c81550f35897 (n7.1.1)
-	NOTE: Fixed by: https://github.com/FFmpeg/FFmpeg/commit/9803800e0e8cd8e1e7695f77cfbf4e0db0abfe57 (n5.1.7)
+	NOTE: Fixed by: https://github.com/FFmpeg/FFmpeg/commit/d09f50c0f5f045dec35f0ca22c2212fae2378dba (n6.1)
 CVE-2024-56769 (In the Linux kernel, the following vulnerability has been resolved:  m ...)
 	{DLA-4076-1 DLA-4075-1}
 	- linux 6.12.8-1


=====================================
data/DLA/list
=====================================
@@ -705,7 +705,7 @@
 	{CVE-2022-25844 CVE-2023-26116 CVE-2023-26117 CVE-2023-26118 CVE-2024-8372 CVE-2024-8373 CVE-2024-21490 CVE-2025-0716 CVE-2025-2336}
 	[bullseye] - angular.js 1.8.3-1+deb12u1~deb11u1
 [14 Jul 2025] DLA-4241-1 ffmpeg - security update
-	{CVE-2023-6601 CVE-2023-6602 CVE-2023-6604 CVE-2023-6605}
+	{CVE-2023-6602 CVE-2023-6604 CVE-2023-6605}
 	[bullseye] - ffmpeg 7:4.3.9-0+deb11u1
 [12 Jul 2025] DLA-4240-1 redis - security update
 	{CVE-2025-32023 CVE-2025-48367}


=====================================
data/DSA/list
=====================================
@@ -517,7 +517,7 @@
 	[bookworm] - node-cipher-base 1.0.4-6+deb12u1
 	[trixie] - node-cipher-base 1.0.4-6+deb13u1
 [25 Aug 2025] DSA-5985-1 ffmpeg - security update
-	{CVE-2023-49502 CVE-2023-50007 CVE-2023-50008 CVE-2024-31582 CVE-2024-35367 CVE-2024-35368 CVE-2025-0518 CVE-2025-7700 CVE-2025-22919 CVE-2023-6605 CVE-2023-6602 CVE-2023-6604 CVE-2023-6601 CVE-2025-59731 CVE-2025-59732 CVE-2025-59733 CVE-2025-9951}
+	{CVE-2023-49502 CVE-2023-50007 CVE-2023-50008 CVE-2024-31582 CVE-2024-35367 CVE-2024-35368 CVE-2025-0518 CVE-2025-7700 CVE-2025-22919 CVE-2023-6605 CVE-2023-6602 CVE-2023-6604 CVE-2025-59731 CVE-2025-59732 CVE-2025-59733 CVE-2025-9951}
 	[bookworm] - ffmpeg 7:5.1.7-0+deb12u1
 [24 Aug 2025] DSA-5984-1 thunderbird - security update
 	{CVE-2025-9179 CVE-2025-9180 CVE-2025-9181 CVE-2025-9185}



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8603934fb700b0c92345820491e96b920c452f0c...4a41a11e45fb1fa28f2c752bfbcb05f308c880d9

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8603934fb700b0c92345820491e96b920c452f0c...4a41a11e45fb1fa28f2c752bfbcb05f308c880d9
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260208/03dc095f/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list