Re: CVE-2016-2839 / Firefox-ESR

2016-08-19 Thread Luciano Bello
On Friday 19 August 2016 17.39.02 Brian May wrote: > > All 45.3.0esr-1* versions are fixed, but this only actually affects when > > playing videos with ffmpeg 0.10 installed. *not* ffmpeg 1.0, *not* > > libav. So for most practical purposes, wheezy and jessie are not > > /really/ affected as long

Re: matrixssl

2016-08-19 Thread Guido Günther
Hi Brian, On Thu, Aug 18, 2016 at 07:24:55AM +0200, Guido Günther wrote: > Hi Brian, > On Wed, Aug 17, 2016 at 05:49:46PM +1000, Brian May wrote: > > Guido Günther writes: > > > > > As I wrote in dla-needed.txt the bignum handling is in > > > crypto/peersec/mpi.c and it seems

Re: Wheezy update of chicken?

2016-08-19 Thread Chris Lamb
Brian May wrote: > It looks like this patch involves refactoring of the code. Which is > going to make it more complicated applying it to the wheezy version. Indeed. In fact, when I was working back from this patch it was not immediately obvious that wheezy was vulnerable due to the changes...

Re: Wheezy update of chicken?

2016-08-19 Thread Brian May
Brian May writes: > I just had a look at CVE-2016-6830. I was going to look at CVE-2016-6831 seperately, however it looks like this was fixed at the same time as CVE-2016-6830 http://seclists.org/oss-sec/2016/q3/308 -- Brian May

Re: CVE-2016-2839 / Firefox-ESR

2016-08-19 Thread Brian May
Mike Hommey writes: > All 45.3.0esr-1* versions are fixed, but this only actually affects when > playing videos with ffmpeg 0.10 installed. *not* ffmpeg 1.0, *not* > libav. So for most practical purposes, wheezy and jessie are not > /really/ affected as long as only packages