On Tue, Jul 01, 2014 at 10:01:35AM +1000, Matt Palmer wrote:
> Hi,
>
> On Fri, Jun 27, 2014 at 07:30:11PM +0200, Andreas Cadhalpun wrote:
> > I'd like to inform you that ffmpeg 0.5.10-1 in squeeze is vulnerable
> > to CVE-2014-4610 [1].
> > The fix [2] should be easily backportable.
>
> Thanks for taking the time to send this info through.
>
> This bug has been marked as "wontfix" for squeeze; the rationale provided
> was "end-of-life; Backports to 0.5.x not useful, too many checks missing".
> I'm not an expert in all things ffmpeg, and I wasn't the one who added that
> note; I've Cc'd the person who added that notation to provide further
> rationale if you need it.
If there are isolated patch which apply the 0.5.x, they can be shipped.
Raphael was also planning to push some fixes.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140701142710.gb9...@inutil.org
