On 2/23/2025 6:58 PM, Michael Niedermayer wrote: > Hi > > On Sun, Feb 23, 2025 at 06:45:07PM -0300, James Almer wrote: >> On 2/23/2025 5:19 PM, Michael Niedermayer wrote: >>> Hi >>> >>> On Sun, Feb 23, 2025 at 12:41:23PM -0300, James Almer wrote: >>>> On 2/23/2025 6:12 AM, Michael Niedermayer wrote: >>>>> Hi >>>>> >>>>> On Sun, Feb 23, 2025 at 09:56:35AM +0100, Michael Niedermayer wrote: >>>>>> Hi all >>>>>> >>>>>> Today ffmpeg-security was asked why 5 security fixes are missing in 6.1 >>>>>> and from our security page. >>>>>> >>>>>> These issues where posted publically on trac, and fixed by FFmpeg developers. >>>>>> Then someone seems to have registered CVE #s but not mailed ffmpeg-security >>>>>> >>>>>> I suggest >>>>>> 1. if you fix a security issue or apply a security fix, make sure it is >>>>>> backported to all supported releases >>>>>> 2. if you see a CVE # thats not on the security page, mail ffmpeg-security >>>>>> 3. If you see issues on trac that seem important, please make sure they >>>>>> are fixed and backported, having someone like carl who knew and maintained >>>>>> all issues would be quite usefull >>>>> >>>>> 4. Someone should cross check >>>>> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ffmpeg and our security page >>>>> and backported fixes and backport missing fixes and fix unfixed issues. >>>> >>>> Why are there memory leaks with a CVE? >>> >>> a memory leak can be a denial of service >>> >>> >>>> >>>> Also, CVE-2025-1373 is wrong, it doesn't apply to any release, only git >>>> master. >>> >>> please add a entry to our security page stating that >> >> How? It doesn't apply to any release. It's CVE who should fix their >> description. > > you can add "never affected a release" (theres already a similar one) I see what you mean, like in 4.4. In that case i think the proper way to do this is to add it to the 8.0 entry once that's done. > > >> >> Also, i consider it a bit premature to make a CVE for an issue that's only >> present in git master and was fixed immediately after it was reported to us. >> It wasn't realistically deployed anywhere and only pads the list. > > The world is unlikely to delete a CVE# completely, but you can try. > Some pages will refer to the issue and if its not on our page people > will be confused > > If teh page clearly says CVE-2025-1373 doesnt affect any ffmpeg release > thats clear and thats the clarity the page is supposed to provide. > > thx > > [...] > > > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".