The CVEs CVE-2015-3395 & CVE-2015-3417 have been fixed in libav-11.4: http://seclists.org/bugtraq/2015/Jun/80 https://git.libav.org/?p=libav.git;a=blob;f=Changelog;hb=refs/tags/v11.4 Reproducible: Always
CVE-2015-3417 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3417): Use-after-free vulnerability in the ff_h264_free_tables function in libavcodec/h264.c in FFmpeg before 2.3.6 allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted H.264 data in an MP4 file, as demonstrated by an HTML VIDEO element that references H.264 data. CVE-2015-3395 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3395): The msrle_decode_pal4 function in msrledec.c in Libav before 10.7 and 11.x before 11.4 and FFmpeg before 2.0.7, 2.2.x before 2.2.15, 2.4.x before 2.4.8, 2.5.x before 2.5.6, and 2.6.x before 2.6.2 allows remote attackers to have unspecified impact via a crafted image, related to a pixel pointer, which triggers an out-of-bounds array access.
Ping. We need to fix this, Debian has had a fix since 13 Jun 2015. It is almost January of 2016. Please advise.
Version 11.4 in tree media-video/libav: Update the version Luca Barbato, 25 Jan 23:19, commit 501fd5e1 Are we ready to go stable?
Ok lets try this again! Two versions in tree that fix this. 11.4, 11.6 Which one do you want to call for stabilization on?
New GLSA Request filed. Maintainer(s), please drop the vulnerable version(s).
This issue was resolved and addressed in GLSA 201705-08 at https://security.gentoo.org/glsa/201705-08 by GLSA coordinator Kristian Fiskerstrand (K_F).
Reopening Bug for cleanup Maintainer(s), please drop the vulnerable version(s).
this bug depends on a bug that already has a cleanup set on <11.8. Thus, that cleanup will take care of this. Closing.
