June libav/ffmpeg security update tracking bug

Bug #1012132 reported by Marc Deslauriers on 2012-06-12
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libav (Ubuntu)
Medium
Reinhard Tartler
Lucid
Undecided
Unassigned
Natty
Medium
Marc Deslauriers
Oneiric
Medium
Marc Deslauriers
Precise
Medium
Marc Deslauriers
Quantal
Medium
Reinhard Tartler

Bug Description

This is a bug to track the June 2012 security updates for libav and ffmpeg.

libav 0.5.9
libav 0.6.6
libav 0.7.6
libav 0.8.3

visibility: private → public
Changed in libav (Ubuntu Lucid):
status: New → Invalid
Changed in libav (Ubuntu Natty):
status: New → Confirmed
Changed in libav (Ubuntu Oneiric):
status: New → Confirmed
Changed in libav (Ubuntu Quantal):
status: New → Fix Released
Changed in libav (Ubuntu Precise):
status: New → Confirmed
Changed in libav (Ubuntu Natty):
importance: Undecided → Medium
Changed in libav (Ubuntu Oneiric):
importance: Undecided → Medium
Changed in libav (Ubuntu Precise):
importance: Undecided → Medium
Changed in libav (Ubuntu Quantal):
importance: Undecided → Medium
Changed in libav (Ubuntu Natty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in libav (Ubuntu Oneiric):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in libav (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Reinhard Tartler (siretart) wrote :

why is lucid status 'invalid'? libav 0.5.9 seems applicable to me (at least that's why I'm doing 0.5 releases upstream after all).

Changed in libav (Ubuntu Quantal):
assignee: nobody → Reinhard Tartler (siretart)
Marc Deslauriers (mdeslaur) wrote :

Because the source package in Lucid is called "ffmpeg", but a launchpad timeout is preventing me from adding "ffmpeg" to this bug at this time.

On Di, Jun 12, 2012 at 18:48:22 (CEST), Marc Deslauriers wrote:

> Because the source package in Lucid is called "ffmpeg", but a launchpad
> timeout is preventing me from adding "ffmpeg" to this bug at this
> time.

I see. Well, in any case, libav 0.5.9 is a drop-in replacement for the
ffmpeg package in lucid, with minimal, security only changes. In Debian,
the source package is still called ffmpeg, although the contents are
taken from libav.

--
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4

Marc Deslauriers (mdeslaur) wrote :

Yes, I am using libav 0.5.9 as the update for Lucid (but renamed to ffmpeg, as in Debian). The package is currently going through QA.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libav - 4:0.8.3-0ubuntu0.12.04.1

---------------
libav (4:0.8.3-0ubuntu0.12.04.1) precise-security; urgency=low

  * Update to 0.8.3 to fix multiple security issues. (LP: #1012132)
    - CVE-2012-0851
    - CVE-2012-0947
  * debian/patches/04-ffmpeg-warning-change.patch: Update warning to make
    clearer the deprecation of ffmpeg binary. (LP: #939863)
 -- Marc Deslauriers <email address hidden> Tue, 12 Jun 2012 10:14:44 -0400

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libav - 4:0.7.6-0ubuntu0.11.10.1

---------------
libav (4:0.7.6-0ubuntu0.11.10.1) oneiric-security; urgency=low

  * Update to 0.7.6 to fix multiple security issues. (LP: #1012132)
    - CVE-2011-3929
    - CVE-2011-3936
    - CVE-2011-3940
    - CVE-2011-3945
    - CVE-2011-3947
    - CVE-2011-3951
    - CVE-2011-3952
    - CVE-2011-4031
    - CVE-2012-0848
    - CVE-2012-0850
    - CVE-2012-0851
    - CVE-2012-0852
    - CVE-2012-0853
    - CVE-2012-0858
    - CVE-2012-0859
    - CVE-2012-0947
 -- Marc Deslauriers <email address hidden> Tue, 12 Jun 2012 09:38:34 -0400

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libav - 4:0.6.6-0ubuntu0.11.04.1

---------------
libav (4:0.6.6-0ubuntu0.11.04.1) natty-security; urgency=low

  * Update to 0.7.6 to fix multiple security issues. (LP: #1012132)
    - CVE-2011-3929
    - CVE-2011-3936
    - CVE-2011-3940
    - CVE-2011-3945
    - CVE-2011-3947
    - CVE-2011-3951
    - CVE-2011-3952
    - CVE-2012-0850
    - CVE-2012-0851
    - CVE-2012-0852
    - CVE-2012-0853
    - CVE-2012-0858
    - CVE-2012-0859
    - CVE-2012-0947
 -- Marc Deslauriers <email address hidden> Tue, 12 Jun 2012 10:26:36 -0400

Changed in libav (Ubuntu Natty):
status: Confirmed → Fix Released
Changed in libav (Ubuntu Oneiric):
status: Confirmed → Fix Released
Changed in libav (Ubuntu Precise):
status: Confirmed → Fix Released
tsultana (tsultana) on 2012-06-20
visibility: public → private
security vulnerability: yes → no
visibility: private → public
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers