On Mon, Oct 21, 2024 at 8:04 AM Fabio Valentini <decathorpe@xxxxxxxxx> wrote:
Hi all,
There have been a number of releases of dav1d newer than the one
shipped in EPEL 9 right now, one of which include fixes for this CVE:
https://bugzilla.redhat.com/show_bug.cgi?id=2264940
Looking at upstream commit history, there seem to be other "security
fixes" that have just not been assigned a CVE number. I have looked
into backporting the fixes to the version currently in EPEL 9, but
it's 1) unclear which commits all need to be backported, and 2) some
changes aren't cleanly backportable, and 3) that would not cover
security fixes not associated with a CVE number.
For this reason, I would like to build the version of dav1d that's
currently in Fedora 40+ and in EPEL 10 also for EPEL 9. This includes
one soname bump (since dav1d 1.3.0) due to an ABI change, which makes
this an incompatible update, but there were no actual API changes.
Packages in the EPEL 9 repos that depend on dav1d that would need to be rebuilt:
chromium: chromium
chromium: chromium-headless
ffmpeg: libavcodec-free
libavif0.10: libavif0.10
libavif: libavif
libheif: libheif
vlc: vlc-plugins-base
xine-lib: xine-lib
Fabio
Thank you for following the Incompatible update process.
Looking at things, I agree that updating is the best step forward.
My only concern is that you will be rebuilding the "heavy hitters" dealing with web browsing, video and sound.
If this gets approved, please be careful with those and try to communicate with their maintainers as much as possible.
Troy
-- _______________________________________________ epel-devel mailing list -- epel-devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to epel-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue