Carlos Henrique Lima Melara pushed to branch master at Debian Security Tracker
/ security-tracker
Commits:
4fe05077 by Carlos Henrique Lima Melara at 2026-01-16T20:03:39-03:00
Reserve DLA-4440-1 for ffmpeg
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -48830,7 +48830,6 @@ CVE-2025-10256
{DSA-6007-1}
- ffmpeg 7:7.1.2-1
[bookworm] - ffmpeg <postponed> (Minor issue, wait until it's fixed in
the 5.1 branch)
- [bullseye] - ffmpeg <postponed> (Minor issue)
NOTE: Fixed by:
https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/a25462482c02c004d685a8fcf2fa63955aaa0931
(n8.0)
NOTE: Fixed by:
https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/0e8ccde9e5c9daa081eb4c037d83350390c9aa2b
(n7.1.2)
NOTE: Introduced in:
https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/d3be186ed1bcdcf2c093d6b13a0e66dc5132be2a
(n3.2)
@@ -49714,7 +49713,6 @@ CVE-2025-9994 (The Amp\u2019ed RF BT-AP 111 Bluetooth
access point's HTTP admin
CVE-2025-9951 (A heap-buffer-overflow write exists in jpeg2000dec FFmpeg which
allows ...)
{DSA-6007-1 DSA-5985-1}
- ffmpeg 7:7.1.2-1
- [bullseye] - ffmpeg <postponed> (Minor issue, wait until it's fixed in
the 4.3 branch)
NOTE:
https://github.com/google/security-research/security/advisories/GHSA-39q3-f8jq-v6mg
NOTE:
https://github.com/FFmpeg/FFmpeg/commit/01a292c7e36545ddeb3c7f79cd02e2611cd37d73
(n8.0)
NOTE:
https://github.com/FFmpeg/FFmpeg/commit/d141e864f73152e94e0c45cc4abb8c329275c265
(n7.1.2)
@@ -66037,7 +66035,6 @@ CVE-2024-6234
CVE-2025-7700 (A flaw was found in FFmpeg\u2019s ALS audio decoder, where it
does not ...)
{DSA-6007-1 DSA-5985-1}
- ffmpeg 7:7.1.2-1
- [bullseye] - ffmpeg <postponed> (Minor issue, wait until it's fixed in
the 4.3 branch)
NOTE: Introduced with:
https://git.ffmpeg.org/gitweb/ffmpeg.git/object/dcfd24b10c7eaec4b7b1ec2c4abb46808721a71d
NOTE: Fixed by:
https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/35a6de137a39f274d5e01ed0e0e6c4f04d0aaf07
(n8.0)
NOTE: Fixed by:
https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/e0c5acb3e343d1c91c0914a786ff59176d4066a2
(n7.1.2)
@@ -115576,7 +115573,6 @@ CVE-2025-1595 (A vulnerability has been found in
Anhui Xufan Information Technol
CVE-2025-1594 (A vulnerability, which was classified as critical, was found in
FFmpeg ...)
{DSA-6079-1 DSA-6007-1}
- ffmpeg 7:7.1.2-1
- [bullseye] - ffmpeg <postponed> (Minor issue, wait until it's fixed
upstream)
NOTE:
https://ffmpeg.org/pipermail/ffmpeg-devel/2025-February/339544.html
NOTE: https://trac.ffmpeg.org/ticket/11418
NOTE:
https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/bedfb6eca402037f5cbb115fa767d106b8c14f1c
(n8.0)
@@ -131353,7 +131349,6 @@ CVE-2023-48775 (Missing Authorization vulnerability
in Gfazioli WP Cleanfix allo
NOT-FOR-US: WordPress plugin
CVE-2023-6603 (A flaw was found in FFmpeg's HLS playlist parsing. This
vulnerability ...)
- ffmpeg 7:5.0.1-2
- [bullseye] - ffmpeg <postponed> (Minor issue, wait until it's fixed
upstream)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2334335
NOTE: Fixed by:
https://github.com/FFmpeg/FFmpeg/commit/28c83584e8f3cd747c1476a74cc2841d3d1fa7f3
(n5.0)
CVE-2023-6602 (A flaw was found in FFmpeg's TTY Demuxer. This vulnerability
allows po ...)
@@ -139525,7 +139520,6 @@ CVE-2024-36616 (An integer overflow in the component
/libavformat/westwood_vqa.c
CVE-2024-36615 (FFmpeg n7.0 has a race condition vulnerability in the VP9
decoder. Thi ...)
- ffmpeg 7:7.1-3
[bookworm] - ffmpeg <postponed> (Pick up when fixed in 5.1.x)
- [bullseye] - ffmpeg <postponed> (Minor issue, hard to backport)
NOTE:
https://github.com/ffmpeg/ffmpeg/commit/0ba058579f332b3060d8470a04ddd3fbf305be61
(n7.1)
NOTE: Regression fix:
https://github.com/FFmpeg/FFmpeg/commit/8c62d77139ca07390414fcfd26b2a4d506fed3b9
(n7.1)
CVE-2024-36612 (Zulip from 8.0 to 8.3 contains a memory leak vulnerability in
the hand ...)
=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[16 Jan 2026] DLA-4440-1 ffmpeg - security update
+ {CVE-2023-6603 CVE-2024-36615 CVE-2025-1594 CVE-2025-7700 CVE-2025-9951
CVE-2025-10256 CVE-2025-63757}
+ [bullseye] - ffmpeg 7:4.3.9-0+deb11u2
[15 Jan 2026] DLA-4439-1 firefox-esr - security update
{CVE-2025-14327 CVE-2026-0877 CVE-2026-0878 CVE-2026-0879 CVE-2026-0880
CVE-2026-0882 CVE-2026-0883 CVE-2026-0884 CVE-2026-0885 CVE-2026-0886
CVE-2026-0887 CVE-2026-0890 CVE-2026-0891}
[bullseye] - firefox-esr 140.7.0esr-1~deb11u1
=====================================
data/dla-needed.txt
=====================================
@@ -89,19 +89,6 @@ epiphany-browser (abhijith)
NOTE: 20251206: Added by Front-Desk (rouca)
NOTE: 20251206: Fix CVE-2023-26081 fixed in buster. Try to fix other CVEs
postponed (fd/rouca)
--
-ffmpeg (charles)
- NOTE: 20251102: Added by Front-Desk (apo)
- NOTE: 20251125: Re-claim it. I'm working thorugh the long list of postponed
- NOTE: 20251125: CVEs. I've got the bullseye's patches for CVE-2023-6603 and
- NOTE: 20251125: CVE-2024-36615 atm. In the end, I plan to submit upstream for
- NOTE: 20251125: ffmpeg's LTS branches because we get upstream review +
- NOTE: 20251125: contribute back to free software, so win-win I guess :-)
- NOTE: 20251222: Timing isn't perfect with the holidays, but I've sent the
- NOTE: 20251222: fixes upstream for review:
- NOTE: 20251222: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21275 (charles)
- NOTE: 20260114: The MR was accepted upstream, only pending thing is to check
- NOTE: 20260114: one failure in a rdep test spotted in debusine (lebiniou).
---
firmware-nonfree
NOTE: 20251130: Added by Front-Desk. Moreover, take care of postponed issue
(rouca)
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4fe050772ba5224c0fd0e1602b95c6542d103c65
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4fe050772ba5224c0fd0e1602b95c6542d103c65
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
