- libde265 (1.0.3-1+rpi1+deb10u1) buster-staging; urgency=medium
++libde265 (1.0.3-1+rpi1+deb10u3) buster-staging; urgency=medium
+
+ [changes brought forward from 1.0.2-1+rpi1 by Peter Michael Green <plugwash@raspbian.org> at Sun, 04 Oct 2015 21:44:10 +0000]
+ * Disable neon.
+
- -- Raspbian forward porter <root@raspbian.org> Thu, 15 Dec 2022 22:08:54 +0000
++ -- Raspbian forward porter <root@raspbian.org> Wed, 25 Jan 2023 04:02:14 +0000
++
+ libde265 (1.0.3-1+deb10u3) buster-security; urgency=medium
+
+ * Non-maintainer upload by the LTS Security Team.
+ * Source-only upload. (Last upload was accidentially a binary-upload)
+
+ -- Tobias Frost <tobi@debian.org> Tue, 24 Jan 2023 22:39:16 +0100
+
+ libde265 (1.0.3-1+deb10u2) buster-security; urgency=medium
+
+ * Non-maintainer upload by the LTS Security Team.
+ * Add patches:
+ - reject_reference_pics_from_different_sps.patch
+ - use_sps_from_the_image.patch
+ - recycle_sps_if_possible.patch
+ * Cherry-pick additional patches from upstream:
+ check-4-negative-Q-value.patch
+ CVE-2022-43245-fix-asan-wildpointer-apply_sao_internal.patch
+ * Add patch "fix-invalid-memory-access.patch" to avoid out-of-bound
+ array access leading to crashes.
+ * Add patch CVE-2020-21596-global-buffer-overflow.patch
+ * Add patch to avoid use-after-free problems.
+ * Cumulative, the patches are fixing:
+ CVE-2020-21596, CVE-2020-21597, CVE-2020-21598, CVE-2022-43235,
+ CVE-2022-43236, CVE-2022-43237, CVE-2022-43238, CVE-2022-43239,
+ CVE-2022-43240, CVE-2022-43241, CVE-2022-43242, CVE-2022-43243,
+ CVE-2022-43244, CVE-2022-43245, CVE-2022-43248, CVE-2022-43249,
+ CVE-2022-43250, CVE-2022-43252, CVE-2022-43253, CVE-2022-47655.
+ (Closes: #1029357, #1029397, #1025816, #1027179)
+ * Amend changelog of 1.0.3-1+deb10u1, as it turned out that the
+ fix for CVE 2020-51999 and CVE 2021-36408 fixed other issues too.
+
+ -- Tobias Frost <tobi@debian.org> Tue, 24 Jan 2023 21:42:47 +0100
libde265 (1.0.3-1+deb10u1) buster-security; urgency=medium
projects / libde265.git / commitdiff