Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 25 Jul 2013 11:08:45 +0200
From: Rémi Denis-Courmont <>
To: <>
Cc: Jean-Baptiste Kempf <>, <>, 
 Michael Niedermayer <>, 
 Moritz Muehlenhoff <>, Moritz Muehlenhoff <>, 
 <>, <>
Subject: Re: new FFMpeg stuff

On Thu, 25 Jul 2013 03:01:33 -0600, Kurt Seifried <>
> Hash: SHA1
> On 07/25/2013 02:52 AM, Jean-Baptiste Kempf wrote:
>> On 25 Jul, Kurt Seifried wrote :
>>> Can the VLC security team confirm/correct this as needed so we
>>> can ensure it's correct before I assign CVEs? thanks.
>> Why the VLC security team should be involved in that?
> Because they want to help make sure the CVEs get correctly assigned?
> If you guys don't care about getting CVE's done properly well that's
> your choice I guess and I'll assign the CVEs as best I can. But I was
> hoping VLC upstream might help out.

It's not that we don't care about CVE IDs. But "upstream VLC" is upstream
VLC, i.e. the VLC code base. We just do not have the resources and
expertise to evaluate FFmpeg/libav security issues individually.

Besides, VLC can be linked dynamically with many different FFmpeg or libav
versions. So keeping track of their security issues within the context of
VLC is more or less impossible. That is up to the VLC binary packagers, not
to upstream developers.

Rémi Denis-Courmont
Sent from my collocated server

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.