[FFmpeg-user] 2.8.14 security updates

Carl Eugen Hoyos ceffmpeg at gmail.com
Wed May 16 00:46:04 EEST 2018


2018-05-15 22:02 GMT+02:00, Bryan Duff <duff0097 at gmail.com>:
> Is 2.8.14 up-to-date as far as known security issues (e.g
> CVE's) are concerned?

2.8 is still supported and gets security updates:
http://ffmpeg.org/download.html
Note that nearly no fixed FFmpeg security issue gets a CVE,
so CVE's have limited relevance for FFmpeg.

> Looking at CVE's for ffmpeg, some will say "3.x.y and before" - does that
> mean that they only affect 3.x?  If not and they affect 2.8.14, then there
> are a decent number that affect 2.8.14 (15 of them?)

As said above, the number of CVE's has no relevance here,
the number of fixed issues with possible security implications
per release is approximately a magnitude bigger than the
number of reported CVE's.

> For example, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9608
> has commits in the 3.2, 3.3, and master branches, so I'm guessing 2.8 is
> not affected.  Just trying to make sure.

Could you elaborate what you want to know exactly?
The issue in question was introduced after 2.8 was released but
I wonder why you chose this example: This is a DOS, but valid
files can easily be found that cause DOS for libavformat /
libavcodec in a given environment, so you have to secure the
libraries independently of our code to avoid DOS.

Carl Eugen


More information about the ffmpeg-user mailing list