* [FFmpeg-devel] CVE #s security fixes and backports @ 2025-02-23 8:56 Michael Niedermayer 2025-02-23 9:12 ` Michael Niedermayer 0 siblings, 1 reply; 10+ messages in thread From: Michael Niedermayer @ 2025-02-23 8:56 UTC (permalink / raw) To: FFmpeg development discussions and patches [-- Attachment #1.1: Type: text/plain, Size: 874 bytes --] Hi all Today ffmpeg-security was asked why 5 security fixes are missing in 6.1 and from our security page. These issues where posted publically on trac, and fixed by FFmpeg developers. Then someone seems to have registered CVE #s but not mailed ffmpeg-security I suggest 1. if you fix a security issue or apply a security fix, make sure it is backported to all supported releases 2. if you see a CVE # thats not on the security page, mail ffmpeg-security 3. If you see issues on trac that seem important, please make sure they are fixed and backported, having someone like carl who knew and maintained all issues would be quite usefull thx -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB I have never wished to cater to the crowd; for what I know they do not approve, and what they approve I do not know. -- Epicurus [-- Attachment #1.2: signature.asc --] [-- Type: application/pgp-signature, Size: 195 bytes --] [-- Attachment #2: Type: text/plain, Size: 251 bytes --] _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [FFmpeg-devel] CVE #s security fixes and backports 2025-02-23 8:56 [FFmpeg-devel] CVE #s security fixes and backports Michael Niedermayer @ 2025-02-23 9:12 ` Michael Niedermayer 2025-02-23 15:41 ` James Almer 2025-02-23 16:49 ` Rémi Denis-Courmont 0 siblings, 2 replies; 10+ messages in thread From: Michael Niedermayer @ 2025-02-23 9:12 UTC (permalink / raw) To: FFmpeg development discussions and patches [-- Attachment #1.1: Type: text/plain, Size: 1184 bytes --] Hi On Sun, Feb 23, 2025 at 09:56:35AM +0100, Michael Niedermayer wrote: > Hi all > > Today ffmpeg-security was asked why 5 security fixes are missing in 6.1 > and from our security page. > > These issues where posted publically on trac, and fixed by FFmpeg developers. > Then someone seems to have registered CVE #s but not mailed ffmpeg-security > > I suggest > 1. if you fix a security issue or apply a security fix, make sure it is > backported to all supported releases > 2. if you see a CVE # thats not on the security page, mail ffmpeg-security > 3. If you see issues on trac that seem important, please make sure they > are fixed and backported, having someone like carl who knew and maintained > all issues would be quite usefull 4. Someone should cross check https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ffmpeg and our security page and backported fixes and backport missing fixes and fix unfixed issues. thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB The smallest minority on earth is the individual. Those who deny individual rights cannot claim to be defenders of minorities. - Ayn Rand [-- Attachment #1.2: signature.asc --] [-- Type: application/pgp-signature, Size: 195 bytes --] [-- Attachment #2: Type: text/plain, Size: 251 bytes --] _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [FFmpeg-devel] CVE #s security fixes and backports 2025-02-23 9:12 ` Michael Niedermayer @ 2025-02-23 15:41 ` James Almer 2025-02-23 20:19 ` Michael Niedermayer 2025-02-23 16:49 ` Rémi Denis-Courmont 1 sibling, 1 reply; 10+ messages in thread From: James Almer @ 2025-02-23 15:41 UTC (permalink / raw) To: ffmpeg-devel [-- Attachment #1.1.1: Type: text/plain, Size: 1456 bytes --] On 2/23/2025 6:12 AM, Michael Niedermayer wrote: > Hi > > On Sun, Feb 23, 2025 at 09:56:35AM +0100, Michael Niedermayer wrote: >> Hi all >> >> Today ffmpeg-security was asked why 5 security fixes are missing in 6.1 >> and from our security page. >> >> These issues where posted publically on trac, and fixed by FFmpeg developers. >> Then someone seems to have registered CVE #s but not mailed ffmpeg-security >> >> I suggest >> 1. if you fix a security issue or apply a security fix, make sure it is >> backported to all supported releases >> 2. if you see a CVE # thats not on the security page, mail ffmpeg-security >> 3. If you see issues on trac that seem important, please make sure they >> are fixed and backported, having someone like carl who knew and maintained >> all issues would be quite usefull > > 4. Someone should cross check > https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ffmpeg and our security page > and backported fixes and backport missing fixes and fix unfixed issues. Why are there memory leaks with a CVE? Also, CVE-2025-1373 is wrong, it doesn't apply to any release, only git master. > > thx > > [...] > > > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". [-- Attachment #1.2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 495 bytes --] [-- Attachment #2: Type: text/plain, Size: 251 bytes --] _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [FFmpeg-devel] CVE #s security fixes and backports 2025-02-23 15:41 ` James Almer @ 2025-02-23 20:19 ` Michael Niedermayer 2025-02-23 21:45 ` James Almer 0 siblings, 1 reply; 10+ messages in thread From: Michael Niedermayer @ 2025-02-23 20:19 UTC (permalink / raw) To: FFmpeg development discussions and patches [-- Attachment #1.1: Type: text/plain, Size: 1649 bytes --] Hi On Sun, Feb 23, 2025 at 12:41:23PM -0300, James Almer wrote: > On 2/23/2025 6:12 AM, Michael Niedermayer wrote: > > Hi > > > > On Sun, Feb 23, 2025 at 09:56:35AM +0100, Michael Niedermayer wrote: > > > Hi all > > > > > > Today ffmpeg-security was asked why 5 security fixes are missing in 6.1 > > > and from our security page. > > > > > > These issues where posted publically on trac, and fixed by FFmpeg developers. > > > Then someone seems to have registered CVE #s but not mailed ffmpeg-security > > > > > > I suggest > > > 1. if you fix a security issue or apply a security fix, make sure it is > > > backported to all supported releases > > > 2. if you see a CVE # thats not on the security page, mail ffmpeg-security > > > 3. If you see issues on trac that seem important, please make sure they > > > are fixed and backported, having someone like carl who knew and maintained > > > all issues would be quite usefull > > > > 4. Someone should cross check > > https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ffmpeg and our security page > > and backported fixes and backport missing fixes and fix unfixed issues. > > Why are there memory leaks with a CVE? a memory leak can be a denial of service > > Also, CVE-2025-1373 is wrong, it doesn't apply to any release, only git > master. please add a entry to our security page stating that thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB The difference between a dictatorship and a democracy is that every 4 years the population together is allowed to provide 1 bit of input to the government. [-- Attachment #1.2: signature.asc --] [-- Type: application/pgp-signature, Size: 195 bytes --] [-- Attachment #2: Type: text/plain, Size: 251 bytes --] _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [FFmpeg-devel] CVE #s security fixes and backports 2025-02-23 20:19 ` Michael Niedermayer @ 2025-02-23 21:45 ` James Almer 2025-02-23 21:58 ` Michael Niedermayer 0 siblings, 1 reply; 10+ messages in thread From: James Almer @ 2025-02-23 21:45 UTC (permalink / raw) To: ffmpeg-devel [-- Attachment #1.1.1: Type: text/plain, Size: 1760 bytes --] On 2/23/2025 5:19 PM, Michael Niedermayer wrote: > Hi > > On Sun, Feb 23, 2025 at 12:41:23PM -0300, James Almer wrote: >> On 2/23/2025 6:12 AM, Michael Niedermayer wrote: >>> Hi >>> >>> On Sun, Feb 23, 2025 at 09:56:35AM +0100, Michael Niedermayer wrote: >>>> Hi all >>>> >>>> Today ffmpeg-security was asked why 5 security fixes are missing in 6.1 >>>> and from our security page. >>>> >>>> These issues where posted publically on trac, and fixed by FFmpeg developers. >>>> Then someone seems to have registered CVE #s but not mailed ffmpeg-security >>>> >>>> I suggest >>>> 1. if you fix a security issue or apply a security fix, make sure it is >>>> backported to all supported releases >>>> 2. if you see a CVE # thats not on the security page, mail ffmpeg-security >>>> 3. If you see issues on trac that seem important, please make sure they >>>> are fixed and backported, having someone like carl who knew and maintained >>>> all issues would be quite usefull >>> >>> 4. Someone should cross check >>> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ffmpeg and our security page >>> and backported fixes and backport missing fixes and fix unfixed issues. >> >> Why are there memory leaks with a CVE? > > a memory leak can be a denial of service > > >> >> Also, CVE-2025-1373 is wrong, it doesn't apply to any release, only git >> master. > > please add a entry to our security page stating that How? It doesn't apply to any release. It's CVE who should fix their description. Also, i consider it a bit premature to make a CVE for an issue that's only present in git master and was fixed immediately after it was reported to us. It wasn't realistically deployed anywhere and only pads the list. [-- Attachment #1.2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 495 bytes --] [-- Attachment #2: Type: text/plain, Size: 251 bytes --] _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [FFmpeg-devel] CVE #s security fixes and backports 2025-02-23 21:45 ` James Almer @ 2025-02-23 21:58 ` Michael Niedermayer 2025-02-23 22:00 ` James Almer 2025-02-23 22:08 ` James Almer 0 siblings, 2 replies; 10+ messages in thread From: Michael Niedermayer @ 2025-02-23 21:58 UTC (permalink / raw) To: FFmpeg development discussions and patches [-- Attachment #1.1: Type: text/plain, Size: 2825 bytes --] Hi On Sun, Feb 23, 2025 at 06:45:07PM -0300, James Almer wrote: > On 2/23/2025 5:19 PM, Michael Niedermayer wrote: > > Hi > > > > On Sun, Feb 23, 2025 at 12:41:23PM -0300, James Almer wrote: > > > On 2/23/2025 6:12 AM, Michael Niedermayer wrote: > > > > Hi > > > > > > > > On Sun, Feb 23, 2025 at 09:56:35AM +0100, Michael Niedermayer wrote: > > > > > Hi all > > > > > > > > > > Today ffmpeg-security was asked why 5 security fixes are missing in 6.1 > > > > > and from our security page. > > > > > > > > > > These issues where posted publically on trac, and fixed by FFmpeg developers. > > > > > Then someone seems to have registered CVE #s but not mailed ffmpeg-security > > > > > > > > > > I suggest > > > > > 1. if you fix a security issue or apply a security fix, make sure it is > > > > > backported to all supported releases > > > > > 2. if you see a CVE # thats not on the security page, mail ffmpeg-security > > > > > 3. If you see issues on trac that seem important, please make sure they > > > > > are fixed and backported, having someone like carl who knew and maintained > > > > > all issues would be quite usefull > > > > > > > > 4. Someone should cross check > > > > https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ffmpeg and our security page > > > > and backported fixes and backport missing fixes and fix unfixed issues. > > > > > > Why are there memory leaks with a CVE? > > > > a memory leak can be a denial of service > > > > > > > > > > Also, CVE-2025-1373 is wrong, it doesn't apply to any release, only git > > > master. > > > > please add a entry to our security page stating that > > How? It doesn't apply to any release. It's CVE who should fix their > description. you can add "never affected a release" (theres already a similar one) > > Also, i consider it a bit premature to make a CVE for an issue that's only > present in git master and was fixed immediately after it was reported to us. > It wasn't realistically deployed anywhere and only pads the list. The world is unlikely to delete a CVE# completely, but you can try. Some pages will refer to the issue and if its not on our page people will be confused If teh page clearly says CVE-2025-1373 doesnt affect any ffmpeg release thats clear and thats the clarity the page is supposed to provide. thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Modern terrorism, a quick summary: Need oil, start war with country that has oil, kill hundread thousand in war. Let country fall into chaos, be surprised about raise of fundamantalists. Drop more bombs, kill more people, be surprised about them taking revenge and drop even more bombs and strip your own citizens of their rights and freedoms. to be continued [-- Attachment #1.2: signature.asc --] [-- Type: application/pgp-signature, Size: 195 bytes --] [-- Attachment #2: Type: text/plain, Size: 251 bytes --] _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [FFmpeg-devel] CVE #s security fixes and backports 2025-02-23 21:58 ` Michael Niedermayer @ 2025-02-23 22:00 ` James Almer 2025-02-23 22:08 ` James Almer 1 sibling, 0 replies; 10+ messages in thread From: James Almer @ 2025-02-23 22:00 UTC (permalink / raw) To: ffmpeg-devel [-- Attachment #1.1.1: Type: text/plain, Size: 2555 bytes --] On 2/23/2025 6:58 PM, Michael Niedermayer wrote: > Hi > > On Sun, Feb 23, 2025 at 06:45:07PM -0300, James Almer wrote: >> On 2/23/2025 5:19 PM, Michael Niedermayer wrote: >>> Hi >>> >>> On Sun, Feb 23, 2025 at 12:41:23PM -0300, James Almer wrote: >>>> On 2/23/2025 6:12 AM, Michael Niedermayer wrote: >>>>> Hi >>>>> >>>>> On Sun, Feb 23, 2025 at 09:56:35AM +0100, Michael Niedermayer wrote: >>>>>> Hi all >>>>>> >>>>>> Today ffmpeg-security was asked why 5 security fixes are missing in 6.1 >>>>>> and from our security page. >>>>>> >>>>>> These issues where posted publically on trac, and fixed by FFmpeg developers. >>>>>> Then someone seems to have registered CVE #s but not mailed ffmpeg-security >>>>>> >>>>>> I suggest >>>>>> 1. if you fix a security issue or apply a security fix, make sure it is >>>>>> backported to all supported releases >>>>>> 2. if you see a CVE # thats not on the security page, mail ffmpeg-security >>>>>> 3. If you see issues on trac that seem important, please make sure they >>>>>> are fixed and backported, having someone like carl who knew and maintained >>>>>> all issues would be quite usefull >>>>> >>>>> 4. Someone should cross check >>>>> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ffmpeg and our security page >>>>> and backported fixes and backport missing fixes and fix unfixed issues. >>>> >>>> Why are there memory leaks with a CVE? >>> >>> a memory leak can be a denial of service >>> >>> >>>> >>>> Also, CVE-2025-1373 is wrong, it doesn't apply to any release, only git >>>> master. >>> >>> please add a entry to our security page stating that >> >> How? It doesn't apply to any release. It's CVE who should fix their >> description. > > you can add "never affected a release" (theres already a similar one) > > >> >> Also, i consider it a bit premature to make a CVE for an issue that's only >> present in git master and was fixed immediately after it was reported to us. >> It wasn't realistically deployed anywhere and only pads the list. > > The world is unlikely to delete a CVE# completely, but you can try. > Some pages will refer to the issue and if its not on our page people > will be confused I don't want to delete a CVE, i want them to not be created prematurely for no gain... > > If teh page clearly says CVE-2025-1373 doesnt affect any ffmpeg release > thats clear and thats the clarity the page is supposed to provide. Sure, but it doesn't, and that's the problem. The description is completely made up. [-- Attachment #1.2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 495 bytes --] [-- Attachment #2: Type: text/plain, Size: 251 bytes --] _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [FFmpeg-devel] CVE #s security fixes and backports 2025-02-23 21:58 ` Michael Niedermayer 2025-02-23 22:00 ` James Almer @ 2025-02-23 22:08 ` James Almer 1 sibling, 0 replies; 10+ messages in thread From: James Almer @ 2025-02-23 22:08 UTC (permalink / raw) To: ffmpeg-devel [-- Attachment #1.1.1: Type: text/plain, Size: 2811 bytes --] On 2/23/2025 6:58 PM, Michael Niedermayer wrote: > Hi > > On Sun, Feb 23, 2025 at 06:45:07PM -0300, James Almer wrote: >> On 2/23/2025 5:19 PM, Michael Niedermayer wrote: >>> Hi >>> >>> On Sun, Feb 23, 2025 at 12:41:23PM -0300, James Almer wrote: >>>> On 2/23/2025 6:12 AM, Michael Niedermayer wrote: >>>>> Hi >>>>> >>>>> On Sun, Feb 23, 2025 at 09:56:35AM +0100, Michael Niedermayer wrote: >>>>>> Hi all >>>>>> >>>>>> Today ffmpeg-security was asked why 5 security fixes are missing in 6.1 >>>>>> and from our security page. >>>>>> >>>>>> These issues where posted publically on trac, and fixed by FFmpeg developers. >>>>>> Then someone seems to have registered CVE #s but not mailed ffmpeg-security >>>>>> >>>>>> I suggest >>>>>> 1. if you fix a security issue or apply a security fix, make sure it is >>>>>> backported to all supported releases >>>>>> 2. if you see a CVE # thats not on the security page, mail ffmpeg-security >>>>>> 3. If you see issues on trac that seem important, please make sure they >>>>>> are fixed and backported, having someone like carl who knew and maintained >>>>>> all issues would be quite usefull >>>>> >>>>> 4. Someone should cross check >>>>> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ffmpeg and our security page >>>>> and backported fixes and backport missing fixes and fix unfixed issues. >>>> >>>> Why are there memory leaks with a CVE? >>> >>> a memory leak can be a denial of service >>> >>> >>>> >>>> Also, CVE-2025-1373 is wrong, it doesn't apply to any release, only git >>>> master. >>> >>> please add a entry to our security page stating that >> >> How? It doesn't apply to any release. It's CVE who should fix their >> description. > > you can add "never affected a release" (theres already a similar one) I see what you mean, like in 4.4. In that case i think the proper way to do this is to add it to the 8.0 entry once that's done. > > >> >> Also, i consider it a bit premature to make a CVE for an issue that's only >> present in git master and was fixed immediately after it was reported to us. >> It wasn't realistically deployed anywhere and only pads the list. > > The world is unlikely to delete a CVE# completely, but you can try. > Some pages will refer to the issue and if its not on our page people > will be confused > > If teh page clearly says CVE-2025-1373 doesnt affect any ffmpeg release > thats clear and thats the clarity the page is supposed to provide. > > thx > > [...] > > > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". [-- Attachment #1.2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 495 bytes --] [-- Attachment #2: Type: text/plain, Size: 251 bytes --] _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [FFmpeg-devel] CVE #s security fixes and backports 2025-02-23 9:12 ` Michael Niedermayer 2025-02-23 15:41 ` James Almer @ 2025-02-23 16:49 ` Rémi Denis-Courmont 2025-02-23 21:37 ` Michael Niedermayer 1 sibling, 1 reply; 10+ messages in thread From: Rémi Denis-Courmont @ 2025-02-23 16:49 UTC (permalink / raw) To: FFmpeg development discussions and patches Le sunnuntaina 23. helmikuuta 2025, 11.12.36 UTC+2 Michael Niedermayer a écrit : > On Sun, Feb 23, 2025 at 09:56:35AM +0100, Michael Niedermayer wrote: > > I suggest > > 1. if you fix a security issue or apply a security fix, make sure it is > > backported to all supported releases > > 2. if you see a CVE # thats not on the security page, mail ffmpeg-security > > 3. If you see issues on trac that seem important, please make sure they > > are fixed and backported, having someone like carl who knew and maintained > > all issues would be quite usefull > > 4. Someone should cross check > https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ffmpeg and our security > page and backported fixes and backport missing fixes and fix unfixed > issues. I find these suggestions very agreeable... as long as someone else is responsible. Luckily, I am not on ffmpeg-security, so I have a rock-solid excuse. IMO, whoever "asked (...) why 5 security fixes are missing in 6.1 and from our security page" should be respectfully informed that FFmpeg is a volunteer organisation and lacks the human resources to necessary track CVEs. It probably won't make any difference in the end, but I find it better to admit that we don't do what we don't do than to give false hopes. -- Rémi Denis-Courmont Villeneuve de Tapiola, ex-République finlandaise d´Uusimaa _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [FFmpeg-devel] CVE #s security fixes and backports 2025-02-23 16:49 ` Rémi Denis-Courmont @ 2025-02-23 21:37 ` Michael Niedermayer 0 siblings, 0 replies; 10+ messages in thread From: Michael Niedermayer @ 2025-02-23 21:37 UTC (permalink / raw) To: FFmpeg development discussions and patches [-- Attachment #1.1: Type: text/plain, Size: 1414 bytes --] Hi On Sun, Feb 23, 2025 at 06:49:23PM +0200, Rémi Denis-Courmont wrote: > Le sunnuntaina 23. helmikuuta 2025, 11.12.36 UTC+2 Michael Niedermayer a écrit > : > > On Sun, Feb 23, 2025 at 09:56:35AM +0100, Michael Niedermayer wrote: > > > I suggest > > > 1. if you fix a security issue or apply a security fix, make sure it is > > > backported to all supported releases > > > 2. if you see a CVE # thats not on the security page, mail ffmpeg-security > > > 3. If you see issues on trac that seem important, please make sure they > > > are fixed and backported, having someone like carl who knew and maintained > > > all issues would be quite usefull > > > > 4. Someone should cross check > > https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ffmpeg and our security > > page and backported fixes and backport missing fixes and fix unfixed > > issues. > > I find these suggestions very agreeable... as long as someone else is > responsible. Luckily, I am not on ffmpeg-security, so I have a rock-solid > excuse. ffmpeg-security is a mail alias security reports are sent there and forwarded/delegated to the right expert in the team. (unless they can be fixed at the spot) Security is the responsibility of the whole Team thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB No snowflake in an avalanche ever feels responsible. -- Voltaire [-- Attachment #1.2: signature.asc --] [-- Type: application/pgp-signature, Size: 195 bytes --] [-- Attachment #2: Type: text/plain, Size: 251 bytes --] _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2025-02-23 22:13 UTC | newest] Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2025-02-23 8:56 [FFmpeg-devel] CVE #s security fixes and backports Michael Niedermayer 2025-02-23 9:12 ` Michael Niedermayer 2025-02-23 15:41 ` James Almer 2025-02-23 20:19 ` Michael Niedermayer 2025-02-23 21:45 ` James Almer 2025-02-23 21:58 ` Michael Niedermayer 2025-02-23 22:00 ` James Almer 2025-02-23 22:08 ` James Almer 2025-02-23 16:49 ` Rémi Denis-Courmont 2025-02-23 21:37 ` Michael Niedermayer
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel This inbox may be cloned and mirrored by anyone: git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \ ffmpegdev@gitmailbox.com public-inbox-index ffmpegdev Example config snippet for mirrors. AGPL code for this site: git clone https://public-inbox.org/public-inbox.git