On Mon, Sep 12, 2016 at 12:52:32PM +0200, Hugo Lefeuvre wrote: > Hi, > > > I'm counting 22 open CVEs for libav at the moment. Which of them do you > > intend to address with your fixes? Do you mind working together with > > Hugo Lefeuvre on some issues? I could imagine you both could pool your > > resources together. > > (24 if we count the two issues marked no-dsa by the security team) > > Some CVE triage: > > Upstream patch applies directly, or almost:
All of the issues marked <undetermined> don't have upstream fixes in the sense that libav fixed them, only fixes in ffmpeg git. If you want to address them in oldstable/stable, you should get the libav developers to merge them first. Cheers, Moritz