[Bug 1635443] [NEW] Sync ffmpeg 7:3.1.4-1 (universe) from Debian unstable (main)

Thu, 20 Oct 2016 15:51:18 -0700 

*** This bug is a security vulnerability ***

Public security bug reported:

Please sync ffmpeg 7:3.1.4-1 (universe) from Debian unstable (main)

Explanation of the Ubuntu delta and why it can be dropped:
  * 
debian/patches/0001-tests-checkasm-pixblockdsp-Test-8-byte-aligned-posit.patch:
    Cherry-pick patch from upstream to fix tests on armhf (on arm64, as our
    builders are) (LP: #1612058).
  * Resynchronise with Debian.  Remaining changes:
    - Compile with -O2 rather than -O3 on s390x, to work around
      https://bugs.launchpad.net/bugs/1526324.

Both patches can be dropped:
 * The checkasm fix was cherry-picked from upstream and is included
   in the new release.
 * The s390x workaround should no longer be necessary since gcc-6 is the 
   default compiler, because the bug only affects gcc-5.

In the new upstream versions the following CVEs were fixed:
 * CVE-2016-6164 (in 3.1.1)
 * CVE-2016-6671 (in 3.1.2)
 * CVE-2016-6920 and CVE-2016-6881 (in 3.1.3)
 * CVE-2016-7122, CVE-2016-7450, CVE-2016-7502, CVE-2016-7555,
   CVE-2016-7562, CVE-2016-7785 and CVE-2016-7905 (in 3.1.4)

This would also fix LP: #1626220 and LP: #1628595.

Changelog entries since current zesty version 7:3.0.2-1ubuntu3:

ffmpeg (7:3.1.4-1) unstable; urgency=medium

  [ Ondřej Nový ]
  * Disable librtmp support, because the built-in RTMP support is better.

  [ Andreas Cadhalpun ]
  * Import new upstream bugfix release 3.1.4.
     - Fixes CVE-2016-7122, CVE-2016-7450, CVE-2016-7502, CVE-2016-7555,
       CVE-2016-7562, CVE-2016-7785 and CVE-2016-7905. (Closes: #840434)
  * Fix typos.
  * Replace libopencv-dev build-dependency with libopencv-imgproc-dev.
  * Improve build-time optimization for libavfilter-extra.
  * Mention sofalizer in libavfilter-extra6 description.
  * Remove redundant nocheck test.
  * Add libopenjpegenc-recreate-image-data-buffer.patch to fix autopkg
    test crashes.
  * Let the encdec test print the command before executing it.
  * Update encdec*_list.txt.
  * Re-enable the libopenjpeg decoder.
  * Enable libzmq on hurd, as it is now available there.
  * Use 'set -e' to abort build on configure failure.
  * Only set CC/CXX if they differ from the default.
  * Set configure options for cross-building.

 -- Andreas Cadhalpun <andreas.cadhal...@googlemail.com>  Tue, 11 Oct
2016 21:17:10 +0200

ffmpeg (7:3.1.3-2) unstable; urgency=medium

  * Team upload.

  [ Balint Reczey ]
  * Enable OCR using Tesseract in libavfilter-extra* (Closes: 822555)

  [ Sebastian Ramacher ]
  * debian/libavcodec*.lintian-overrides: Remove unused lintian override.
  * debian/rules:
    - Enable all hardening options except pie.
    - Apply the same optimization for libavfilter extra flavor.
  * debian/{control,rules}: Build libavfilter extra flavor with --enable-netcdf.

 -- Sebastian Ramacher <sramac...@debian.org>  Wed, 28 Sep 2016 21:42:19
+0200

ffmpeg (7:3.1.3-1) unstable; urgency=medium

  * Team upload.
  * New upstream release.
  * debian/{rules,*.symbols}: Remove symbol files and generate tighter
    dependencies using a dh_makeshlibs override. (Closes: #835645)
  * debian/copyright: Fix dep5-copyright-license-name-not-unique.

 -- Sebastian Ramacher <sramac...@debian.org>  Sun, 28 Aug 2016 12:12:44
+0200

ffmpeg (7:3.1.2-1) unstable; urgency=medium

  * New upstream release.
  * debian/patches:
    - fix-vaapi-default-values.patch: Removed, applied upstream.
    - Revert-configure-Enable-GCC-vectorization-on-4.9-on-.patch: Removed,
      included upstream.

 -- Sebastian Ramacher <sramac...@debian.org>  Wed, 10 Aug 2016 20:42:29
+0200

ffmpeg (7:3.1.1-4) unstable; urgency=high

  * debian/control:
    - Remove obsolete Conflicts.
    - Remove obsolete Breaks against dmo packages.
  * debian/patches/fix-vaapi-default-values.patch: Use local independent
    default values. Thanks to Carl Eugen Hoyos. (Closes: #831529)

 -- Sebastian Ramacher <sramac...@debian.org>  Wed, 03 Aug 2016 15:16:59
+0200

ffmpeg (7:3.1.1-3) unstable; urgency=medium

  [ James Clarke ]
  * debian/rules: Re-enable x264 on sparc64 as the linker has been fixed.
    (Closes: #831582)

  [ Sebastian Ramacher ]
  * debian/patches/Revert-configure-Enable-GCC-vectorization-on-4.9-on-.patch:
    Apply upstream patch to disable GCC vectorization.

 -- Sebastian Ramacher <sramac...@debian.org>  Thu, 21 Jul 2016 20:26:12
+0200

ffmpeg (7:3.1.1-2) unstable; urgency=medium

  * Team upload.

  [ Aurelien Jarno ]
  * debian/rules: Fix FTBFS on mips64el by adding --disable-mips64r6. (Closes:
    #830868)

 -- Sebastian Ramacher <sramac...@debian.org>  Tue, 12 Jul 2016 16:38:52
+0200

ffmpeg (7:3.1.1-1) unstable; urgency=medium

  * Team upload.
  * New upstream release.
  * debian/rules:
    - Really build with opencv everywhere. (Closes: #827868)
    - Remove obsolete comments.
    - Build with --enable-libebur128.
  * debian/patches
    - lavf-mpegts-Return-small-probe-score-for-very-short-.patch: Removed,
      included upstream.
    - disable-opj-static.patch: Do not define OPJ_STATIC when building against
      openjpeg 2.1.x.
  * debian/control: Add libebur128-dev to B-D.
  * debian/copyright:
    - Add new copyright holders.
    - Update copyright years.

 -- Sebastian Ramacher <sramac...@debian.org>  Tue, 12 Jul 2016 09:37:46
+0200

ffmpeg (7:3.0.2-4) unstable; urgency=medium

  * debian/control: Switch to libopenjp2-7-dev. (Closes: #826812)

 -- Sebastian Ramacher <sramac...@debian.org>  Sat, 11 Jun 2016 11:19:42
+0200

ffmpeg (7:3.0.2-3) unstable; urgency=medium

  * Team upload.

  [ Balint Reczey ]
  * Build-depend on libx265-dev (>= 1.8)

  [ Sebastian Ramacher ]
  * debian/rules:
    - No longer disable i686 optimization on i386 based architectures.
    - Disable mips32r6 for all mips architectures.
  * debian/copyright: Remove an extra 'with'.

 -- Sebastian Ramacher <sramac...@debian.org>  Wed, 01 Jun 2016 20:43:32
+0200

ffmpeg (7:3.0.2-2) unstable; urgency=medium

  * Team upload.
  * debian/rules: Build with --disable-mips32r6 on mips(el) to fix FTBFS
    there.

 -- Sebastian Ramacher <sramac...@debian.org>  Fri, 13 May 2016 16:49:23
+0200

** Affects: ffmpeg (Ubuntu)
     Importance: Undecided
         Status: New

** Information type changed from Public to Public Security

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-6164

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-6671

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-6920

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-6881

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-7122

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-7450

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-7502

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-7555

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-7562

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-7785

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-7905

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1635443

Title:
  Sync ffmpeg 7:3.1.4-1 (universe) from Debian unstable (main)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ffmpeg/+bug/1635443/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to