Libavcodec being blacklisted with Firefox

[Jean-Yves Avenard]

Hello

I am writing to you as you are listed as one of the libavcodec maintainers on either Debian or Ubuntu distribution.

We discovered a serious security vulnerability in libavcodec 54 and earlier. Only libavcodec from LibAV is impacted.

We have submitted fixes for libavcodec 54 to the LibAV team which have been accepted. They have also agreed to bump the micro version making the first version with no vulnerability version 54.35.1
https://git.libav.org/?p=libav.git;a=shortlog;h=refs/heads/release/9

libavcodec 53 is also impacted, however we have no solution for this.

As a result, we have blacklisted libavcodec with a version earlier than 54.35.1.

This means that Firefox 50 and later will no longer be able to play some videos on system using libavcodec with the vulnerability.
Systems using libavcodec from the FFmpeg tree aren’t impacted.

The easiest course of action for whomever is creating the Debian or Ubuntu libav* package is to resync with upstream to grab the fixes…

There will be no binary incompatibilities with existing packages using the fixed libavcodec.

Thank you for updating the packages.

Best regards
Jean-Yves Avenard



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4145 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20160927/65e7ec58/attachment.bin>