FFmpeg 4.3.2 has been released on February 20: https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n4.3.2
Hi, thanks for reporting this. As there is no maintainer for this package I added the committers in CC. (Please set the status to 'assigned' if you are working on it)
CC: (none) => mageia, ouaurelien, smelrorAssignee: bugsquad => pkg-bugs
The fix for the CVE's that's included in 4.3.2 are already in MGA8, however I plan on pushing 4.3.2 as an update as soon as Mageia 8 is released. Cheers, Stig
Assignee: pkg-bugs => smelror
Thanks, yeah there's almost always security fixes without CVEs. Some might get CVEs later.
Note that there are core and tainted builds for this package. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=8065#c6 https://bugs.mageia.org/show_bug.cgi?id=14042#c6 Advisory: ======================== Updated ffmpeg packages fix security vulnerabilities: This update provides ffmpeg version 4.3.2, which fixes several security vulnerabilities and other bugs which were corrected upstream. References: https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n4.3.2 http://ffmpeg.org/download.html http://ffmpeg.org/security.html ======================== Updated packages in {core,tainted}/updates_testing: ======================== ffmpeg-4.3.2-1.mga8 libavcodec58-4.3.2-1.mga8 libavfilter7-4.3.2-1.mga8 libavformat58-4.3.2-1.mga8 libavutil56-4.3.2-1.mga8 libffmpeg-devel-4.3.2-1.mga8 libswscaler5-4.3.2-1.mga8 libavresample4-4.3.2-1.mga8 libswresample3-4.3.2-1.mga8 libpostproc55-4.3.2-1.mga8 libffmpeg-static-devel-4.3.2-1.mga8 from ffmpeg-4.3.2-1.mga8.src.rpm
Assignee: smelror => qa-bugs
Packages may need to be resubmitted ... The following packages have bad signatures ffmpeg-4.3.2-1.mga8.tainted.x86_64.rpm: Missing signature (OK ((none))) lib64avcodec58-4.3.2-1.mga8.tainted.x86_64.rpm: Missing signature (OK ((none))) lib64avfilter7-4.3.2-1.mga8.tainted.x86_64.rpm: Missing signature (OK ((none))) lib64avformat58-4.3.2-1.mga8.tainted.x86_64.rpm: Missing signature (OK ((none))) lib64avresample4-4.3.2-1.mga8.tainted.x86_64.rpm: Missing signature (OK ((none))) lib64avutil56-4.3.2-1.mga8.tainted.x86_64.rpm: Missing signature (OK ((none))) lib64postproc55-4.3.2-1.mga8.tainted.x86_64.rpm: Missing signature (OK ((none))) lib64swresample3-4.3.2-1.mga8.tainted.x86_64.rpm: Missing signature (OK ((none))) lib64swscaler5-4.3.2-1.mga8.tainted.x86_64.rpm: Missing signature (OK ((none))) Reported on sysadmin-discuss ml too.
CC: (none) => davidwhodgins
Sysadmins, please remove these packages from updates_testing so they can be resubmitted as-is.
Assignee: qa-bugs => sysadmin-bugs
removed and re-submitted
Assignee: sysadmin-bugs => qa-bugs
Tested ffplay with an AVI file I recorded years ago with my TV card (core/updates_testing version) and it works fine on Mageia 8 x86_64. Someone needs to test the tainted version.
Testing: $ rpm -qa | grep ffmpeg ffmpeg-4.3.2-1.mga8.tainted No more missing signature as per comment 5 to 7. Installed over existing version OK. Reading and encoding files OK. Giving this OK for tainted version. As core version OK'ed in comment 8, MGA8-64-OK. Thus, validating. (and reassigning as security bug, per advisory)
QA Contact: (none) => securityCC: (none) => sysadmin-bugsWhiteboard: (none) => MGA8-64-OKKeywords: (none) => advisory, validated_updateComponent: RPM Packages => Security
Un-validating: April 8th, 2021, FFmpeg 4.4 "Rao" released with fixed vulnerabilities: Fixes following vulnerabilities: CVE-2020-13904, 9dfb19baeb86a8bb02c53a441682c6e9a6e104cc CVE-2020-13904, b5e39880fb7269b1b3577cee288e06aa3dc1dfa2 CVE-2020-14212, 0b3bd001ac1745d9d008a2d195817df57d7d1d14 CVE-2020-20450, 5400e4a50c61e53e1bc50b3e77201649bbe9c510, ticket/7993 CVE-2020-21041, 5d9f44da460f781a1604d537d0555b78e29438ba, ticket/7989 CVE-2020-22038, 7c32e9cf93b712f8463573a59ed4e98fd10fa013, ticket/8285 CVE-2020-22042, 426c16d61a9b5056a157a1a2a057a4e4d13eef84, ticket/8267 CVE-2020-24020, 584f396132aa19d21bb1e38ad9a5d428869290cb, ticket/8718 CVE-2020-35965, 3e5959b3457f7f1856d997261e6ac672bba49e8b CVE-2020-35965, b0a8b40294ea212c1938348ff112ef1b9bf16bb3 @David, do we need to push this and open a new bug report on this?
Keywords: advisory, validated_update => (none)
We don't update to newer ffmpeg branches on stable releases, as it breaks things. We'll expect security fixes to get backported to a 4.3.3 release upstream. If needed, we can ask Michael N., the upstream maintainer, to produce such an update.
(In reply to David Walser from comment #11) > We don't update to newer ffmpeg branches on stable releases, as it breaks > things. We'll expect security fixes to get backported to a 4.3.3 release > upstream. If needed, we can ask Michael N., the upstream maintainer, to > produce such an update. So let's push this version 4.3.2 to core/updates and open a new bug report for fixes in FFmpeg 4.4.
Keywords: (none) => advisory, validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0350.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
CVE-2020-21688 and CVE-2020-21697 were also fixed in 4.3.2: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RHYNSW2TAJSSTZPOYXQXGZDI6LYBWIT4/
CVE-2020-35965 was fixed in 4.3.2: https://security-tracker.debian.org/tracker/CVE-2020-35965