[FFmpeg-devel] CVE #s security fixes and backports
Rémi Denis-Courmont
remi at remlab.net
Sun Feb 23 18:49:23 EET 2025
Le sunnuntaina 23. helmikuuta 2025, 11.12.36 UTC+2 Michael Niedermayer a écrit
:
> On Sun, Feb 23, 2025 at 09:56:35AM +0100, Michael Niedermayer wrote:
> > I suggest
> > 1. if you fix a security issue or apply a security fix, make sure it is
> > backported to all supported releases
> > 2. if you see a CVE # thats not on the security page, mail ffmpeg-security
> > 3. If you see issues on trac that seem important, please make sure they
> > are fixed and backported, having someone like carl who knew and maintained
> > all issues would be quite usefull
>
> 4. Someone should cross check
> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ffmpeg and our security
> page and backported fixes and backport missing fixes and fix unfixed
> issues.
I find these suggestions very agreeable... as long as someone else is
responsible. Luckily, I am not on ffmpeg-security, so I have a rock-solid
excuse.
IMO, whoever "asked (...) why 5 security fixes are missing in 6.1
and from our security page" should be respectfully informed that FFmpeg is a
volunteer organisation and lacks the human resources to necessary track CVEs.
It probably won't make any difference in the end, but I find it better to admit
that we don't do what we don't do than to give false hopes.
--
Rémi Denis-Courmont
Villeneuve de Tapiola, ex-République finlandaise d´Uusimaa
More information about the ffmpeg-devel
mailing list