RedHat has issued an advisory on November 5: https://access.redhat.com/errata/RHSA-2019:3703 Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Assigning this globally as libvorbis has no registered maintainer.
Assignee: bugsquad => pkg-bugs
Seems that CVE-2018-10392 and CVE-2018-10393 were already fixed in libvorbis-1.3.6-3.mga7.src.rpm: http://svnweb.mageia.org/packages?view=revision&revision=1238085
CC: (none) => geiger.david68210
I wonder why that didn't turn up in my Bugzilla search. *** This bug has been marked as a duplicate of bug 23145 ***
Status: NEW => RESOLVEDResolution: (none) => DUPLICATE