Hi all, There have been a number of releases of dav1d newer than the one shipped in EPEL 9 right now, one of which include fixes for this CVE: https://bugzilla.redhat.com/show_bug.cgi?id=2264940 Looking at upstream commit history, there seem to be other "security fixes" that have just not been assigned a CVE number. I have looked into backporting the fixes to the version currently in EPEL 9, but it's 1) unclear which commits all need to be backported, and 2) some changes aren't cleanly backportable, and 3) that would not cover security fixes not associated with a CVE number. For this reason, I would like to build the version of dav1d that's currently in Fedora 40+ and in EPEL 10 also for EPEL 9. This includes one soname bump (since dav1d 1.3.0) due to an ABI change, which makes this an incompatible update, but there were no actual API changes. Packages in the EPEL 9 repos that depend on dav1d that would need to be rebuilt: chromium: chromium chromium: chromium-headless ffmpeg: libavcodec-free libavif0.10: libavif0.10 libavif: libavif libheif: libheif vlc: vlc-plugins-base xine-lib: xine-lib Fabio -- _______________________________________________ epel-devel mailing list -- epel-devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to epel-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue