[SRU] New upstream bugfix releases 4.2.9, 4.4.4 and 5.1.3

Most of the CVEs are already fixed under Pro. Also there are no testing instructions.

Testing instructions:
$ sbuild -A -d $RELEASE-security -a $ARCH $SOURCE_DSC
$ autopkgtest -U -o results_ffmpeg_$RELEASE $SOURCE_DSC *_${VERSION}_{all,$ARCH}.deb -- schroot $RELEASE-$ARCH

I executed these instructions prior to uploading each of the .debian.tar.xz above.

autopkgtest is already part of the workflow
please provide specific tests for the vulnerabilities if possible.

I have not been able to find any PoCs for any of the vulnerabilities in these updates. However, we can use the FATE testsuite to provide additional test coverage, as we did in bug #1970674:

For each Ubuntu release being updated, run the following commands:
[Download the .dsc file for the update]
$ dpkg-source -x $SOURCE_DSC
$ cd ffmpeg-$UPSTREAM_VERSION
$ debuild -us -uc
[If necessary, install build dependencies and repeat the previous command]
$ export LD_LIBRARY_PATH="libavcodec:libavdevice:libavfilter:libavformat:libavresample:libavutil:libpostproc:libswresample:libswscale"
$ cd debian/standard
$ make fate-rsync SAMPLES=fate-suite/
$ make fate -k SAMPLES=fate-suite/

Please add test instructions, current results, and results after patching into the description.
Also the list of CVEs is still including CVEs fixed under Ubuntu Pro.

The attachment "ffmpeg_4.2.9-0ubuntu0.1.debian.tar.xz" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

Please upload only debdiffs and please do not do version updates.

I uploaded .debian.tar.xz files because of https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue#Notes%20for%20Contributors:

"1. Your patch is in debdiff format (for merges and bug fixes) or a diff.gz file(for new upstream revisions)."

Is the .diff.gz file here a gzipped debdiff, such as those generated in PPA package details, or one of the files of a format 1.0 source package? I interpreted the sentence above as implying the latter.

Regarding version updates, Marc Deslauriers said in bug #1971185 that FFmpeg is an exception to the security team's general rule of not accepting new upstream microreleases into the security sponsoring process. Why is the security team not accepting these updates this time?

ffmpeg was an exception but since then we have been patching it directly instead of doing version upgrades, as you can see in the Ubuntu Pro updates.
For any version upgrades you should go through the SRU process.

I will convert this bug into a SRU bug, ensure that the proposed packages are built against the security pocket, and request that the packages be copied to the security pocket when they are released.

If it is a matter of fixing CVEs you should create a debdiff.
SRUs need better justification than just fix some CVEs. And we don't normally copy things from -updates to -security pocket, unless strictly needed.
My suggestion is that you provide a debdiff with the relevant CVE fixes.

Luís are you reading my messages?
You don't seem to be.
1. There's no need for an SRU for this
2. Part of the CVEs are already fixed and you are trying to fix it again.
3. You are trying to do version upgrades and that's not how Ubuntu works.

If you provide us with a debdiff that only contain the patches that are needed to fix the vulnerabilities we will gladly sponsor it. But the way you're still making the same mistakes and not following our guidance, we won't sponsor until you address our comments.