Your message dated Tue, 21 Oct 2014 10:01:54 +0000 with message-id <e1xgwgi-0001lv...@franck.debian.org> and subject line Bug#765435: fixed in libvpx 1.3.0-3 has caused the Debian Bug report #765435, regarding libvpx: Out-of-bounds write with WebM video [CVE-2014-1578] to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 765435: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765435 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libvpx Version: 1.3.0-2.1 Severity: grave Tags: security patch Justification: user security hole Hi, an out of bound write vulnerability in libvpx has been fixed in a recent Mozilla advisory [1], and a patch is also provided [2]. Can you prepare an update for unstable and push it asap? Also, I'm unsure if the vulnerability affects stable, so it might be worth checking there too (and coordinate with us for an upload). If you fix the vulnerability, please add the CVE reference (CVE-2014-1578) to the changelog. [1]: https://www.mozilla.org/security/announce/2014/mfsa2014-77.html [2]: https://hg.mozilla.org/releases/mozilla-esr31/rev/6023f0b4f8ba Thanks in advance, -- Yves-Alexis Perez - Debian security team -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (450, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16-2-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---Source: libvpx Source-Version: 1.3.0-3 We believe that the bug you reported is fixed in the latest version of libvpx, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 765...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sebastian Dröge <sl...@debian.org> (supplier of updated libvpx package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 21 Oct 2014 10:02:18 +0200 Source: libvpx Binary: libvpx-dev libvpx1 libvpx1-dbg libvpx-doc vpx-tools Architecture: source all amd64 Version: 1.3.0-3 Distribution: unstable Urgency: high Maintainer: Sebastian Dröge <sl...@debian.org> Changed-By: Sebastian Dröge <sl...@debian.org> Description: libvpx-dev - VP8 and VP9 video codec (development files) libvpx-doc - VP8 and VP9 video codec (API documentation) libvpx1 - VP8 and VP9 video codec (shared library) libvpx1-dbg - VP8 and VP9 video codec (debugging symbols) vpx-tools - VP8 and VP9 video codec encoding/decoding tools Closes: 760095 765435 Changes: libvpx (1.3.0-3) unstable; urgency=high . * debian/control: + Add VP9 to the short and long package descriptions (Closes: #760095). * debian/patches/vp9-out-of-bounds-access.patch: + Fix out of bounds access in the VP9 codec (CVE-2014-1578) (Closes: #765435). Checksums-Sha1: 78c3b4edc7f02705b598819b074c8105f3682429 2129 libvpx_1.3.0-3.dsc 720752e919c6345c2a06b3b00c6037673591a268 11248 libvpx_1.3.0-3.debian.tar.xz fe1fcafaae9c2754559230b24d05e3a7975960b8 191656 libvpx-doc_1.3.0-3_all.deb e577e2c4f15ed648c3722f29f81e2d663ca026cd 684456 libvpx-dev_1.3.0-3_amd64.deb 88fb188e1cec55341b8a29cf1b145d362db206fd 599482 libvpx1_1.3.0-3_amd64.deb 3f32002a2d97e466e1d86c8e7c561a604d54ce3d 1376324 libvpx1-dbg_1.3.0-3_amd64.deb c6d98d2a287f4cb7714db5887932714eed2ba3d7 80496 vpx-tools_1.3.0-3_amd64.deb Checksums-Sha256: aa468780484234775c62ed22a9e2140f343d7ec4d855dd80d6a6f4625e737431 2129 libvpx_1.3.0-3.dsc 9fe4ff76aeb929f5b6efd999d3e19d7ec5186c13763e05001a552aa4a3b3fce0 11248 libvpx_1.3.0-3.debian.tar.xz 328574eaf5b7795ebef3cc56d75bb12289477fae6f5fd9234ab50b7352374b32 191656 libvpx-doc_1.3.0-3_all.deb f27ad7fee9451ca83dab4311b302eddb2e948e9497418dc49ba2e2598c922949 684456 libvpx-dev_1.3.0-3_amd64.deb 14820ca6a795ce534a8292338ddda0a5af747a66f8091d88265107b2782cec19 599482 libvpx1_1.3.0-3_amd64.deb 8219e10a622d79abd7d1c0505f81c60c2d5e310299f64f909dd68a63fff276d8 1376324 libvpx1-dbg_1.3.0-3_amd64.deb 0658b634dabf9ffc459d6c64c7630550e6feabd8f526fa165dae6aab66aa0e7f 80496 vpx-tools_1.3.0-3_amd64.deb Files: 2f5c3f8510c91efaf5a050f36117a203 2129 video optional libvpx_1.3.0-3.dsc 82d573a218cab20465193095790258d7 11248 video optional libvpx_1.3.0-3.debian.tar.xz da0a52d0107b39cac822eea29ea3c552 191656 doc optional libvpx-doc_1.3.0-3_all.deb e87f903e8a9f61871eb219fa2e200903 684456 libdevel optional libvpx-dev_1.3.0-3_amd64.deb a31e1de3bf7d71b02763c7eb194a445f 599482 libs optional libvpx1_1.3.0-3_amd64.deb b8b87a0da800897aa76c0f1fb167dc38 1376324 debug extra libvpx1-dbg_1.3.0-3_amd64.deb 9edfc9a368e7ccfadda5cb34e9bf6c01 80496 utils optional vpx-tools_1.3.0-3_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQJ8BAEBCgBmBQJURhVeXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ3RjRCQzdDQzNDQTA2Rjk3MzM2QkJGRUIw NjY4Q0MxNDg2QzJEN0I1AAoJEAZozBSGwte1TikQALxRWYdkUptkvaxLZ7pVWj7u GwXpRnADXf3fxs4RajOqfZcAk7K55x4aR58nE4QsASep3GVC4UDl/BZN/fZaL6aT WbyjFKK2spf/wIA+oHjNUPVzVikd0fEN2+shnY9jAQ034QN3M2ZyvahEG50MxGr1 uVTmuO8q2t88WtXJmbDFwAbeqmN4P8/dqxjEk8+GeqO4h7BqGMlx/PLyP6tT/rbj +OYZwQeKQ3fzyFqbAnSqinl+rXDe7YJsJKipd2hORUjiT+0o3A65vBVd9IrLCvWb PZROrzFmiNr5ms5pre4OwdFLbQJHkvy9fQN66Q27Dkm5B+nTaMXrbxMERAVdWrlI Q9LpD77EQJ+FY1vs7vipUrSCcbfvR1EALkOdip92jzF9TV3NdxxqqFrOhnxRfg7A WSOmiAHfCxBkNcf1Bj2a7mXvKkLBJR3rfPDtNwY1SUma6fvJwBgbnNLrWpYDKbGM d0SKts5E2qxYiMgjNPvULvbTQlksynIyg3RTLhQFX+C2s94tlHrUELTla1L8oYim Wtz73RofqmndQ++WnL2+paYy9mWRkk6R8VN+l4nsdLT15Y1hBidduMONxuA1lnh4 5r0MXjLiAeeUsB5wv1vZhiuehdsHs4fksSv4YpJDfPF70kGA/0Pxq9ZYFQs2UIRr TOvvT2m8Jib5vZp2NFNU =SnST -----END PGP SIGNATURE-----
--- End Message ---
