On 13.09.2016 15:00, Diego Biurrun wrote: > On Mon, Sep 12, 2016 at 12:52:32PM +0200, Hugo Lefeuvre wrote: >>> I'm counting 22 open CVEs for libav at the moment. Which of them do you >>> intend to address with your fixes? Do you mind working together with >>> Hugo Lefeuvre on some issues? I could imagine you both could pool your >>> resources together. >> >> (24 if we count the two issues marked no-dsa by the security team) >> >> Some CVE triage: >> >> Upstream patch applies directly, or almost: >> CVE-2015-5479 >> >> Upstream patch needs some (heavy) adaptations: >> CVE-2015-1872 > > I have already pushed fixes for these two CVEs to the 0.8 branch in > July. I think I notified you, not sure if you put out a new Debian > release that includes the fixes.
I assume by 0.8 branch you are referring to the upstream repository. I think it would be easier if you sent the patches to this list or you created a new git repository based on Debian's version in Wheezy with your patches applied. This would simplify the process to review your work. I think you are in the best position to determine what patches should go into a new security release. In general we want to fix all open issues. We don't necessarily need to fix all at once but having to do several small releases, which might be disruptive for users, should be avoided if possible. In short we need: a) the single patches rebased against the current version in Wheezy or a Git repository for the same purpose b) a concrete statement what patches and how many should go into the next security update c) a deadline Provided we can clarify a) and b) soon, would it be doable to release a new security update at the end of September? P.S.: Sending mails to the list should be sufficient because every team member is subscribed to it. Regards, Markus
signature.asc
Description: OpenPGP digital signature