Debian has issued an advisory on November 17:
Assigning to gstreamer0.10-plugins-bad maintainer.
There's no gstreamer1.0-plugins-bad maintainer. CC'ing all packagers collectively.
I guess this report needs to be cloned for gstreamer1.0-plugins-bad, anyway?
CVE request and link to the upstream fix:
Appears to be fixed in Cauldron by Shlomi.
gstreamer0.10-plugins-bad, gstreamer1.0-plugins-bad new security issue in VMWare screen capture file decoder =>
gstreamer0.10-plugins-bad, gstreamer1.0-plugins-bad new security issue in VMWare screen capture file decoder (CVE-2016-944)
CVE-2016-9809, CVE-2016-981 assigned for issues fixed in 1.10.2:
LWN reference for CVE-2016-9809:
LWN reference for CVE-2016-981:
Fedora has issued an advisory for this on December 9: