openSUSE has issued an advisory on April 28: https://lists.opensuse.org/opensuse-updates/2017-04/msg00106.html
available in updates_testing. Do we push it now in core/release ?
CC: (none) => mageia
(In reply to Nicolas Lécureuil from comment #1) > available in updates_testing. Thanks :-) > > Do we push it now in core/release ? Shlomi, you're the registered maintainer... do you have any objection against pushing it to core/release now? Btw, is Mga5 not affected?
Assignee: bugsquad => shlomifCC: (none) => marja11
Mageia 5 probably is affected, but we can't update it to 3.3. The usual concern with ffmpeg is does it break building anything against it, so that needs to be tested. As long as everything still builds fine, it can be pushed into release.
(In reply to Marja van Waes from comment #2) > (In reply to Nicolas Lécureuil from comment #1) > > available in updates_testing. > > Thanks :-) > > > > Do we push it now in core/release ? > > > Shlomi, you're the registered maintainer... do you have any objection > against pushing it to core/release now? > I don't have an objection. Go for it. > Btw, is Mga5 not affected?
pushed in mga6 core/release
i am patching mga5 the list of the CVE: CVE-2017-7865 CVE-2017-7863 CVE-2017-7862 CVE-2017-7859 CVE-2016-10192 CVE-2016-10191 CVE-2016-10190
CVE-2017-7866 is fixed on mga5 in the SVN
CVE-2017-7862 is fixed on mga5 in the SVN
Version: Cauldron => 5
Nicolas, do you have any more patches for this?
no i need to look.
The one CVE listed in the git log for 3.3.3 was fixed here: https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/0a709e2a10b8288a0cc383547924ecfe285cef89 More info here: http://seclists.org/oss-sec/2017/q3/288
CVE-2017-15672, fixed in git after 3.3.4, announced here today (November 3): http://openwall.com/lists/oss-security/2017/11/03/4
CVE-2017-15186: http://openwall.com/lists/oss-security/2017/11/06/14
We could try asking for one more 2.4.x update in #ffmpeg-devel, but I don't know if there's time.
The upstream maintainer has updated the 2.4.x branch as requested and will roll a new release tomorrow, so we can get the last update packaged.
Updated packages uploaded for Mageia 5. Note that there are core and tainted builds for this package. Advisory: ======================== Updated ffmpeg packages fix security vulnerabilities: This update provides ffmpeg version 2.4.14, which fixes several security vulnerabilities and other bugs which were corrected upstream. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6164 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6881 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7122 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7450 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7502 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7562 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7785 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7905 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10191 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10192 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5024 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5025 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7862 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7866 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9991 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9992 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9993 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9993 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9994 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9996 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9996 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11399 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11665 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11665 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14055 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14056 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14057 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14058 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14059 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14169 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14170 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14171 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14223 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17081 http://git.videolan.org/?p=ffmpeg.git;a=shortlog;h=n2.4.14 http://ffmpeg.org/olddownload.html http://ffmpeg.org/security.html ======================== Updated packages in {core,tainted}/updates_testing: ======================== ffmpeg-2.4.14-1.mga5 libavcodec56-2.4.14-1.mga5 libpostproc53-2.4.14-1.mga5 libavformat56-2.4.14-1.mga5 libavutil54-2.4.14-1.mga5 libswscaler3-2.4.14-1.mga5 libavfilter5-2.4.14-1.mga5 libswresample1-2.4.14-1.mga5 libffmpeg-devel-2.4.14-1.mga5 libffmpeg-static-devel-2.4.14-1.mga5 from ffmpeg-2.4.14-1.mga5.src.rpm
Assignee: shlomif => qa-bugs
On real hardware, Athlon X2 7750, Geforce 9800GT video, Atheros wifi. The following 8 packages are going to be installed: - ffmpeg-2.4.14-1.mga5.tainted.x86_64 - lib64avcodec56-2.4.14-1.mga5.tainted.x86_64 - lib64avfilter5-2.4.14-1.mga5.tainted.x86_64 - lib64avformat56-2.4.14-1.mga5.tainted.x86_64 - lib64avutil54-2.4.14-1.mga5.tainted.x86_64 - lib64postproc53-2.4.14-1.mga5.tainted.x86_64 - lib64swresample1-2.4.14-1.mga5.tainted.x86_64 - lib64swscaler3-2.4.14-1.mga5.tainted.x86_64 According to the ffmpeg Wikipedia article, both vlc and Linux Firefox use ffmpeg for audio and video playback. So, after installing the updates, I played several videos with vlc, with both mp4 and mkv extensions, and I played several Youtube videos. Everything was excellent. As I believe playback decoding is the most common use of ffmpeg, I am giving it an OK on this hardware.
CC: (none) => andrewsfarmWhiteboard: (none) => MGA5-64-OK
Keywords: (none) => advisoryCC: (none) => davidwhodgins
Core and Tainted versions tested under vb. Validating the update.
Keywords: (none) => validated_updateWhiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0008.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED