Hi,
On 08/08/2024 15:20, Santiago Ruano Rincón wrote:
El 08/08/24 a las 11:56, Sylvain Beucler escribió:
Since then:
- gpac was EOLd in buster
https://salsa.debian.org/debian/debian-security-support/-/commit/a0bfdf01d404aba46893d2971d776f8f7fb5337e
- gpac was removed from bookworm
https://tracker.debian.org/news/1430135/gpac-removed-from-testing/
- gpac was removed from sid
https://tracker.debian.org/news/1548977/removed-221dfsg1-31-from-unstable/
gpac in bullseye still has >100 open CVEs and I don't believe the situation
described by Roberto improved.
Do we want to mark gpac EOL for bullseye as well?
I think it makes sense, yes. Would you like to proceed and document
this in d-d-s?
Here is the MR :)
https://salsa.debian.org/debian/debian-security-support/-/merge_requests/27
For reference, a few more details about the gpac package:
- bookworm removal BTS with rationale:
RM: gpac/2.0.0+dfsg1-4
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034798
- bullseye rdeps:
x264 (high popcon)
ogmrip (not in bookworm and trixie)
- x264 impact: output to .mp4 in 'x264' cli utility (not 'libx264')
recompiled without gpac/.mp4 output support in bookworm and later, cf:
unblock: x264/2:0.164.3095+gitbaee400-3
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034653
gpac/bullseye will not handle arbitrary data,
but rather data produced by x264
security impact limited
- 112 open CVEs
- 3 past bullseye updates:
DSA-4966-1 [31 Aug 2021] (24 CVEs)
DSA-5411-1 [26 May 2023] (113 CVEs)
DSA-5452-1 [14 Jul 2023] (3 CVEs)
Cheers!
Sylvain Beucler
Debian LTS Team
