From: James Almer <jamrial@gmail.com>
To: ffmpeg-devel@ffmpeg.org
Subject: Re: [FFmpeg-devel] CVE #s security fixes and backports
Date: Sun, 23 Feb 2025 12:41:23 -0300
Message-ID: <22ec2abf-bff5-4a89-b1cc-3bf73f726c22@gmail.com> (raw)
In-Reply-To: <20250223091236.GP4991@pb2>
[-- Attachment #1.1.1: Type: text/plain, Size: 1456 bytes --]
On 2/23/2025 6:12 AM, Michael Niedermayer wrote:
> Hi
>
> On Sun, Feb 23, 2025 at 09:56:35AM +0100, Michael Niedermayer wrote:
>> Hi all
>>
>> Today ffmpeg-security was asked why 5 security fixes are missing in 6.1
>> and from our security page.
>>
>> These issues where posted publically on trac, and fixed by FFmpeg developers.
>> Then someone seems to have registered CVE #s but not mailed ffmpeg-security
>>
>> I suggest
>> 1. if you fix a security issue or apply a security fix, make sure it is
>> backported to all supported releases
>> 2. if you see a CVE # thats not on the security page, mail ffmpeg-security
>> 3. If you see issues on trac that seem important, please make sure they
>> are fixed and backported, having someone like carl who knew and maintained
>> all issues would be quite usefull
>
> 4. Someone should cross check
> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ffmpeg and our security page
> and backported fixes and backport missing fixes and fix unfixed issues.
Why are there memory leaks with a CVE?
Also, CVE-2025-1373 is wrong, it doesn't apply to any release, only git
master.
>
> thx
>
> [...]
>
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 495 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
next prev parent reply other threads:[~2025-02-23 15:41 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-23 8:56 Michael Niedermayer
2025-02-23 9:12 ` Michael Niedermayer
2025-02-23 15:41 ` James Almer [this message]
2025-02-23 20:19 ` Michael Niedermayer
2025-02-23 16:49 ` Rémi Denis-Courmont
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=22ec2abf-bff5-4a89-b1cc-3bf73f726c22@gmail.com \
--to=jamrial@gmail.com \
--cc=ffmpeg-devel@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git