Hi On Sun, Feb 23, 2025 at 07:00:47PM -0300, James Almer wrote: > On 2/23/2025 6:58 PM, Michael Niedermayer wrote: > > Hi > > > > On Sun, Feb 23, 2025 at 06:45:07PM -0300, James Almer wrote: > > > On 2/23/2025 5:19 PM, Michael Niedermayer wrote: > > > > Hi > > > > > > > > On Sun, Feb 23, 2025 at 12:41:23PM -0300, James Almer wrote: > > > > > On 2/23/2025 6:12 AM, Michael Niedermayer wrote: > > > > > > Hi > > > > > > > > > > > > On Sun, Feb 23, 2025 at 09:56:35AM +0100, Michael Niedermayer wrote: > > > > > > > Hi all > > > > > > > > > > > > > > Today ffmpeg-security was asked why 5 security fixes are missing > > > > > > > in 6.1 > > > > > > > and from our security page. > > > > > > > > > > > > > > These issues where posted publically on trac, and fixed by FFmpeg > > > > > > > developers. > > > > > > > Then someone seems to have registered CVE #s but not mailed > > > > > > > ffmpeg-security > > > > > > > > > > > > > > I suggest > > > > > > > 1. if you fix a security issue or apply a security fix, make sure > > > > > > > it is > > > > > > > backported to all supported releases > > > > > > > 2. if you see a CVE # thats not on the security page, mail > > > > > > > ffmpeg-security > > > > > > > 3. If you see issues on trac that seem important, please make > > > > > > > sure they > > > > > > > are fixed and backported, having someone like carl who knew and > > > > > > > maintained > > > > > > > all issues would be quite usefull > > > > > > > > > > > > 4. Someone should cross check > > > > > > https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ffmpeg and our > > > > > > security page > > > > > > and backported fixes and backport missing fixes and fix unfixed > > > > > > issues. > > > > > > > > > > Why are there memory leaks with a CVE? > > > > > > > > a memory leak can be a denial of service > > > > > > > > > > > > > > > > > > Also, CVE-2025-1373 is wrong, it doesn't apply to any release, only > > > > > git > > > > > master. > > > > > > > > please add a entry to our security page stating that > > > > > > How? It doesn't apply to any release. It's CVE who should fix their > > > description. > > > > you can add "never affected a release" (theres already a similar one) > > > > > > > > > > Also, i consider it a bit premature to make a CVE for an issue that's only > > > present in git master and was fixed immediately after it was reported to > > > us. > > > It wasn't realistically deployed anywhere and only pads the list. > > > > The world is unlikely to delete a CVE# completely, but you can try. > > Some pages will refer to the issue and if its not on our page people > > will be confused > > I don't want to delete a CVE, i want them to not be created prematurely for > no gain...
duplicate CVE# and non-CVE# are a thing. I also want that not to be. I remember that being also mentioned in mail between me and google security people MANY years ago. > > > > > If teh page clearly says CVE-2025-1373 doesnt affect any ffmpeg release > > thats clear and thats the clarity the page is supposed to provide. > > Sure, but it doesn't, and that's the problem. The description is completely > made up. If a CVE has a nonsense description, you/we can try to report this or just mention it on our security page thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB I do not agree with what you have to say, but I'll defend to the death your right to say it. -- Voltaire
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
