On Thu, Sep 3, 2015 at 5:24 PM, Luca Boccassi <luca.bocca...@gmail.com> wrote: > On Thu, 2015-09-03 at 14:49 +0200, Alessandro Ghedini wrote: >> Source: libvdpau >> Severity: important >> Tags: security, fixed-upstream >> >> Hi, >> >> the following vulnerabilities were published for libvdpau. >> >> CVE-2015-5198[0]: >> incorrect check for security transition >> >> CVE-2015-5199[1]: >> directory traversal in dlopen >> >> CVE-2015-5200[2]: >> vulnerability in trace functionality >> >> All of them are fixed by the patch [3], shipped in the 1.1.1 upstream >> release. >> >> If you fix the vulnerabilities please also make sure to include the >> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > Hello Alessandro, > > Thanks for the heads-up! > > Vincent, Andreas, > > I have updated the libvdpau git repo with the new release [1]. I have > tested the amd64 and i386 packages in Jessie, and they seem to work just > fine with vdpauinfo and VLC. > > Could you please review and do a new upload, when you have time? > > Thanks! > > Tomorrow I'll look into backporting the fix to Wheezy and Squeeze.
Uploaded, thanks! I'll make a note to myself to update the package in jessie-backports as well. Luca, let me know if you need a sponsor for the wheezy-pu/jessie-pu or wheezy-security/jessie-security uploads (I don't know if these CVEs warrant a DSA, so ping the security team first with a source debdiff and see what they say, and if they say no then ping the release team instead); thanks for taking care of updates for stable/oldstable/oldoldstable! Regards, Vincent