[Git][security-tracker-team/security-tracker][master] Reserve DLA-4440-1 for ffmpeg

Carlos Henrique Lima Melara (@charles) gitlab at salsa.debian.org
Fri Jan 16 23:04:37 GMT 2026 


Carlos Henrique Lima Melara pushed to branch master at Debian Security Tracker / security-tracker


Commits:
4fe05077 by Carlos Henrique Lima Melara at 2026-01-16T20:03:39-03:00
Reserve DLA-4440-1 for ffmpeg

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -48830,7 +48830,6 @@ CVE-2025-10256
 	{DSA-6007-1}
 	- ffmpeg 7:7.1.2-1
 	[bookworm] - ffmpeg <postponed> (Minor issue, wait until it's fixed in the 5.1 branch)
-	[bullseye] - ffmpeg <postponed> (Minor issue)
 	NOTE: Fixed by: https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/a25462482c02c004d685a8fcf2fa63955aaa0931 (n8.0)
 	NOTE: Fixed by: https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/0e8ccde9e5c9daa081eb4c037d83350390c9aa2b (n7.1.2)
 	NOTE: Introduced in: https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/d3be186ed1bcdcf2c093d6b13a0e66dc5132be2a (n3.2)
@@ -49714,7 +49713,6 @@ CVE-2025-9994 (The Amp\u2019ed RF BT-AP 111 Bluetooth access point's HTTP admin
 CVE-2025-9951 (A heap-buffer-overflow write exists in jpeg2000dec FFmpeg which allows ...)
 	{DSA-6007-1 DSA-5985-1}
 	- ffmpeg 7:7.1.2-1
-	[bullseye] - ffmpeg <postponed> (Minor issue, wait until it's fixed in the 4.3 branch)
 	NOTE: https://github.com/google/security-research/security/advisories/GHSA-39q3-f8jq-v6mg
 	NOTE: https://github.com/FFmpeg/FFmpeg/commit/01a292c7e36545ddeb3c7f79cd02e2611cd37d73 (n8.0)
 	NOTE: https://github.com/FFmpeg/FFmpeg/commit/d141e864f73152e94e0c45cc4abb8c329275c265 (n7.1.2)
@@ -66037,7 +66035,6 @@ CVE-2024-6234
 CVE-2025-7700 (A flaw was found in FFmpeg\u2019s ALS audio decoder, where it does not ...)
 	{DSA-6007-1 DSA-5985-1}
 	- ffmpeg 7:7.1.2-1
-	[bullseye] - ffmpeg <postponed> (Minor issue, wait until it's fixed in the 4.3 branch)
 	NOTE: Introduced with: https://git.ffmpeg.org/gitweb/ffmpeg.git/object/dcfd24b10c7eaec4b7b1ec2c4abb46808721a71d
 	NOTE: Fixed by: https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/35a6de137a39f274d5e01ed0e0e6c4f04d0aaf07 (n8.0)
 	NOTE: Fixed by: https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/e0c5acb3e343d1c91c0914a786ff59176d4066a2 (n7.1.2)
@@ -115576,7 +115573,6 @@ CVE-2025-1595 (A vulnerability has been found in Anhui Xufan Information Technol
 CVE-2025-1594 (A vulnerability, which was classified as critical, was found in FFmpeg ...)
 	{DSA-6079-1 DSA-6007-1}
 	- ffmpeg 7:7.1.2-1
-	[bullseye] - ffmpeg <postponed> (Minor issue, wait until it's fixed upstream)
 	NOTE: https://ffmpeg.org/pipermail/ffmpeg-devel/2025-February/339544.html
 	NOTE: https://trac.ffmpeg.org/ticket/11418
 	NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/bedfb6eca402037f5cbb115fa767d106b8c14f1c (n8.0)
@@ -131353,7 +131349,6 @@ CVE-2023-48775 (Missing Authorization vulnerability in Gfazioli WP Cleanfix allo
 	NOT-FOR-US: WordPress plugin
 CVE-2023-6603 (A flaw was found in FFmpeg's HLS playlist parsing. This vulnerability  ...)
 	- ffmpeg 7:5.0.1-2
-	[bullseye] - ffmpeg <postponed> (Minor issue, wait until it's fixed upstream)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2334335
 	NOTE: Fixed by: https://github.com/FFmpeg/FFmpeg/commit/28c83584e8f3cd747c1476a74cc2841d3d1fa7f3 (n5.0)
 CVE-2023-6602 (A flaw was found in FFmpeg's TTY Demuxer. This vulnerability allows po ...)
@@ -139525,7 +139520,6 @@ CVE-2024-36616 (An integer overflow in the component /libavformat/westwood_vqa.c
 CVE-2024-36615 (FFmpeg n7.0 has a race condition vulnerability in the VP9 decoder. Thi ...)
 	- ffmpeg 7:7.1-3
 	[bookworm] - ffmpeg <postponed> (Pick up when fixed in 5.1.x)
-	[bullseye] - ffmpeg <postponed> (Minor issue, hard to backport)
 	NOTE: https://github.com/ffmpeg/ffmpeg/commit/0ba058579f332b3060d8470a04ddd3fbf305be61 (n7.1)
 	NOTE: Regression fix: https://github.com/FFmpeg/FFmpeg/commit/8c62d77139ca07390414fcfd26b2a4d506fed3b9 (n7.1)
 CVE-2024-36612 (Zulip from 8.0 to 8.3 contains a memory leak vulnerability in the hand ...)


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[16 Jan 2026] DLA-4440-1 ffmpeg - security update
+	{CVE-2023-6603 CVE-2024-36615 CVE-2025-1594 CVE-2025-7700 CVE-2025-9951 CVE-2025-10256 CVE-2025-63757}
+	[bullseye] - ffmpeg 7:4.3.9-0+deb11u2
 [15 Jan 2026] DLA-4439-1 firefox-esr - security update
 	{CVE-2025-14327 CVE-2026-0877 CVE-2026-0878 CVE-2026-0879 CVE-2026-0880 CVE-2026-0882 CVE-2026-0883 CVE-2026-0884 CVE-2026-0885 CVE-2026-0886 CVE-2026-0887 CVE-2026-0890 CVE-2026-0891}
 	[bullseye] - firefox-esr 140.7.0esr-1~deb11u1


=====================================
data/dla-needed.txt
=====================================
@@ -89,19 +89,6 @@ epiphany-browser (abhijith)
   NOTE: 20251206: Added by Front-Desk (rouca)
   NOTE: 20251206: Fix CVE-2023-26081 fixed in buster. Try to fix other CVEs postponed (fd/rouca)
 --
-ffmpeg (charles)
-  NOTE: 20251102: Added by Front-Desk (apo)
-  NOTE: 20251125: Re-claim it. I'm working thorugh the long list of postponed
-  NOTE: 20251125: CVEs. I've got the bullseye's patches for CVE-2023-6603 and
-  NOTE: 20251125: CVE-2024-36615 atm. In the end, I plan to submit upstream for
-  NOTE: 20251125: ffmpeg's LTS branches because we get upstream review +
-  NOTE: 20251125: contribute back to free software, so win-win I guess :-)
-  NOTE: 20251222: Timing isn't perfect with the holidays, but I've sent the
-  NOTE: 20251222: fixes upstream for review:
-  NOTE: 20251222: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21275 (charles)
-  NOTE: 20260114: The MR was accepted upstream, only pending thing is to check
-  NOTE: 20260114: one failure in a rdep test spotted in debusine (lebiniou).
---
 firmware-nonfree
   NOTE: 20251130: Added by Front-Desk. Moreover, take care of postponed issue (rouca)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4fe050772ba5224c0fd0e1602b95c6542d103c65

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4fe050772ba5224c0fd0e1602b95c6542d103c65
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260116/9519b36e/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list