Reporting fixes so that vuxml can be updated

Kevin Oberman rkoberman at gmail.com
Thu Dec 24 00:36:41 UTC 2015 

On Wed, Dec 23, 2015 at 11:26 AM, Michael Jung <mikej at mikej.com> wrote:

> On 2015-12-23 11:55, Lowell Gilbert wrote:
>
>> Michael Jung <mikej at mikej.com> writes:
>>
>> "pkg audit" on my system returns the following CVE's for ffmpeg.  I
>>> have noted
>>> in the list below that http://www.ffmpeg.org/security.html claims
>>> these CVE's
>>> were fixed in the ffmpeg version noted.
>>>
>>> Is this the correct place/list to report updates to that vuxml can be
>>> updated?
>>>
>>
>> No updates to vuxml are needed (or appropriate).
>>
>> Update your ffmpeg port and you'll be fine.
>>
>>
> I neglected to state that my port is current
>
> ffmpeg-2.8.3_2,1               Realtime audio/video encoder/converter and
> streaming server
>
> Yet all the CVE's reported by "pkg audit" have been fixed according to
> the ffmpeg security link provided in my previous email and my notes as to
> what
> version of ffmpeg they were corrected in.
>
> This would seem to me that vuxml is not current as of the current
> maintainers
> package version.
>
> PORTNAME=       ffmpeg
> PORTVERSION=    2.8.3
> PORTREVISION=   2
> PORTEPOCH=      1
>
>
> Please let me know what I am missing here.
>
> Regards,
>
> --mikej
>
> This has nothing to do with the ffmpeg port and re-installing won't help.

The problem is that handbrake and a few other multimedia ports include a
specific (old) version of ffmpeg. avidemux has ffmpeg-2.6.1. They do this
is to deal with the continual churn in ffmpeg's API and ABI. In recent
times ffmpeg developers have tried to stabilize the API, but I'm sure how
well it is doing. In any case, handbrake, avidemux and gstreamer-ffmpeg all
have this problem. Until those ports are updated to a recent version of
ffmpeg, the vulnerability will remain.

I hope to try a newer ffmpeg with avidemux when I get time (if I ever do)
as I use it far more than I do handbrake.

BTW, if you have x265 installed, handbrake will also fail due to a
conflict. There is not real conflict. It's a problem with the handbrake
port is not properly using the correct header files when x.265 is
installed. Just delete x265, build and install handbrake, and re-install
x265 until handbrake updates it's internal x265 to  newer one.
--
Kevin Oberman, Part time kid herder and retired Network Engineer
E-mail: rkoberman at gmail.com
PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683

More information about the freebsd-ports mailing list