On 2026-02-21 23:04:23 +0000, Lyndon Brown wrote: > On Sat, 2026-02-21 at 23:53 +0100, Sebastian Ramacher wrote: > > On 2026-02-21 22:47:26 +0000, Lyndon Brown wrote: > > > Source: ffmpeg > > > Version: 7:8.0.1-3 > > > Severity: grave > > > > > > Dear maintainer, you may be aware of the recent high-profile > > > security > > > vulnerability patched in libvpx (CVE-2026-2447). > > > > > > Please be aware that while libvpx12 in the Sid archive is patched > > > for > > > this, libvpx11 is not, and ffmpeg libraries libavcodec61 and > > > libavcodec-extra61 depend upon libvpx11 not libvpx12. > > > > libavcodec61 and libavcodec-extra61 are cruft packages from ffmpeg > > 7.0.x. > > > > > This leaves users of the likes of ffmpeg, blender, handbrake, kodi, > > > and > > > linphone potentially vulnerable. > > > > See the open FTBFS bugs of handbrake, kodi, and others. There is > > nothing > > in ffmpeg that can be done to fix those. > > > > > I've filed a bug against libvpx11 itself (#1128623). Hopefully its > > > maintainer will backport patches. Otherwise please can you look at > > > patching ffmpeg to use libvpx12. > > > > ffmpeg is already using libvpx12. Closing. > > > > Cheers > > Ah yes, I see. > > I made an assumption about ffmpeg itself, overlooked that these libs > were old components, and wasn't aware of the issue of these dependant > projects not yet having moved to version 8. > > libvpx11 will just have to be patched then.
It can't. libvpx11 is cruft in unstable. Cheers -- Sebastian Ramacher
