On Thu, 2015-09-03 at 22:40 -0700, Vincent Cheng wrote: > On Thu, Sep 3, 2015 at 5:24 PM, Luca Boccassi <luca.bocca...@gmail.com> wrote: > > On Thu, 2015-09-03 at 14:49 +0200, Alessandro Ghedini wrote: > >> Source: libvdpau > >> Severity: important > >> Tags: security, fixed-upstream > >> > >> Hi, > >> > >> the following vulnerabilities were published for libvdpau. > >> > >> CVE-2015-5198[0]: > >> incorrect check for security transition > >> > >> CVE-2015-5199[1]: > >> directory traversal in dlopen > >> > >> CVE-2015-5200[2]: > >> vulnerability in trace functionality > >> > >> All of them are fixed by the patch [3], shipped in the 1.1.1 upstream > >> release. > >> > >> If you fix the vulnerabilities please also make sure to include the > >> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > > > Hello Alessandro, > > > > Thanks for the heads-up! > > > > Vincent, Andreas, > > > > I have updated the libvdpau git repo with the new release [1]. I have > > tested the amd64 and i386 packages in Jessie, and they seem to work just > > fine with vdpauinfo and VLC. > > > > Could you please review and do a new upload, when you have time? > > > > Thanks! > > > > Tomorrow I'll look into backporting the fix to Wheezy and Squeeze. > > Uploaded, thanks! I'll make a note to myself to update the package in > jessie-backports as well. Luca, let me know if you need a sponsor for > the wheezy-pu/jessie-pu or wheezy-security/jessie-security uploads (I > don't know if these CVEs warrant a DSA, so ping the security team > first with a source debdiff and see what they say, and if they say no > then ping the release team instead); thanks for taking care of updates > for stable/oldstable/oldoldstable!
Hello Vincent, Thanks for uploading 1.1.1! I have pushed to the git repo the backported changes for jessie [1] and wheezy [2]. Alessandro confirmed that the Security Team would like to release a DSA for this [3], so could you please sponsor the upload to security-master when you have time? I added you to the Uploaders in the wheezy branch already. Thanks! Kind regards, Luca Boccassi [1] https://anonscm.debian.org/cgit/pkg-nvidia/libvdpau.git/log/?h=jessie-security [2] https://anonscm.debian.org/cgit/pkg-nvidia/libvdpau.git/log/?h=wheezy-security [3] http://lists.alioth.debian.org/pipermail/pkg-nvidia-devel/2015-September/011509.html
signature.asc
Description: This is a digitally signed message part