[FFmpeg-devel] backport fixes for CVE-2019-9718 and CVE-2019-9721
Michael Niedermayer
michael at niedermayer.cc
Wed Mar 20 20:18:37 EET 2019
On Wed, Mar 20, 2019 at 12:08:52PM +0100, Dominik 'Rathann' Mierzejewski wrote:
> On Wednesday, 20 March 2019 at 00:48, Carl Eugen Hoyos wrote:
> > 2019-03-19 23:28 GMT+01:00, Dominik 'Rathann' Mierzejewski
> > <dominik at greysector.net>:
> >
> > > Were the CVE IDs not known at the time these were pushed to master?
> >
> > No, how would this be possible?
>
> Easy: you can request the ID at https://cveform.mitre.org/ before
> pushing the commits.
do you want to do that ?
In general patches are posted to the mailing list so you could if
you want.
There are probably about 1-2 "Timeout" fixes similar to these a day
currently. Most of these are security issues in the sense of making denial
of service easier, they do not change black to white.
Its not so much that i dont have the time to request 1-2 CVE# a day, its
more that iam not sure this is really helpfull to our users.
Thanks
>
> > > Not having them in the commit log made it more difficult to find them.
> >
> > I thought the CVE's themselves contains the commits, no?
>
> They do, but looking at the commits only I wouldn't know there were CVE
> IDs associated with them, so the relation is one-way only. I would feel
> better if the commit log said a CVE ID was being fixed.
>
> Regards,
> Dominik
> --
> Fedora https://getfedora.org | RPM Fusion http://rpmfusion.org
> There should be a science of discontent. People need hard times and
> oppression to develop psychic muscles.
> -- from "Collected Sayings of Muad'Dib" by the Princess Irulan
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Freedom in capitalist society always remains about the same as it was in
ancient Greek republics: Freedom for slave owners. -- Vladimir Lenin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20190320/6a7a181b/attachment.sig>
More information about the ffmpeg-devel
mailing list