From: Raspbian automatic forward porter Date: Sun, 12 Mar 2023 10:22:17 +0000 (+0000) Subject: Merge version 1.0.3-1+rpi1+deb10u1 and 1.0.11-0+deb10u4 to produce 1.0.11-0+deb10u4... X-Git-Tag: archive/raspbian/1.0.11-0+deb10u4+rpi1^0 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=9235fe94e6fb89af313412b07002e57bd069df68;p=libde265.git Merge version 1.0.3-1+rpi1+deb10u1 and 1.0.11-0+deb10u4 to produce 1.0.11-0+deb10u4+rpi1 --- 9235fe94e6fb89af313412b07002e57bd069df68 diff --cc debian/changelog index b7ec952,f298125..5b38f75 --- a/debian/changelog +++ b/debian/changelog @@@ -1,9 -1,48 +1,55 @@@ - libde265 (1.0.3-1+rpi1+deb10u1) buster-staging; urgency=medium ++libde265 (1.0.11-0+deb10u4+rpi1) buster-staging; urgency=medium + + [changes brought forward from 1.0.2-1+rpi1 by Peter Michael Green at Sun, 04 Oct 2015 21:44:10 +0000] + * Disable neon. + - -- Raspbian forward porter Thu, 15 Dec 2022 22:08:54 +0000 ++ -- Raspbian forward porter Sun, 12 Mar 2023 10:22:16 +0000 ++ + libde265 (1.0.11-0+deb10u4) buster-security; urgency=medium + + * Non-maintainer upload by the LTS Security Team. + * Import new upstream version, based on the 1.0.11-0+deb11u1 package + from bullseye. + - fixing: + CVE-2023-24751, CVE-2023-24752, CVE-2023-24754, CVE-2023-24755, + CVE-2023-24756, CVE-2023-24757, CVE-2023-24758 and CVE-2023-25221. + - dropping no longer needed patches that have been integrated or + made obsolete by the new upstream version. + + -- Tobias Frost Sat, 04 Mar 2023 17:01:58 +0100 + + libde265 (1.0.3-1+deb10u3) buster-security; urgency=medium + + * Non-maintainer upload by the LTS Security Team. + * Source-only upload. (Last upload was accidentially a binary-upload) + + -- Tobias Frost Tue, 24 Jan 2023 22:39:16 +0100 + + libde265 (1.0.3-1+deb10u2) buster-security; urgency=medium + + * Non-maintainer upload by the LTS Security Team. + * Add patches: + - reject_reference_pics_from_different_sps.patch + - use_sps_from_the_image.patch + - recycle_sps_if_possible.patch + * Cherry-pick additional patches from upstream: + check-4-negative-Q-value.patch + CVE-2022-43245-fix-asan-wildpointer-apply_sao_internal.patch + * Add patch "fix-invalid-memory-access.patch" to avoid out-of-bound + array access leading to crashes. + * Add patch CVE-2020-21596-global-buffer-overflow.patch + * Add patch to avoid use-after-free problems. + * Cumulative, the patches are fixing: + CVE-2020-21596, CVE-2020-21597, CVE-2020-21598, CVE-2022-43235, + CVE-2022-43236, CVE-2022-43237, CVE-2022-43238, CVE-2022-43239, + CVE-2022-43240, CVE-2022-43241, CVE-2022-43242, CVE-2022-43243, + CVE-2022-43244, CVE-2022-43245, CVE-2022-43248, CVE-2022-43249, + CVE-2022-43250, CVE-2022-43252, CVE-2022-43253, CVE-2022-47655. + (Closes: #1029357, #1029397, #1025816, #1027179) + * Amend changelog of 1.0.3-1+deb10u1, as it turned out that the + fix for CVE 2020-51999 and CVE 2021-36408 fixed other issues too. + + -- Tobias Frost Tue, 24 Jan 2023 21:42:47 +0100 libde265 (1.0.3-1+deb10u1) buster-security; urgency=medium diff --cc debian/patches/series index f2c6168,d7f7424..b9b42f0 --- a/debian/patches/series +++ b/debian/patches/series @@@ -1,10 -1,5 +1,6 @@@ only_export_decoder_api.patch disable_tools.patch - ffmpeg_2.9.patch - CVE-2020-21599.patch - CVE-2021-35452.patch - CVE-2021-36408.patch - CVE-2021-36409.patch - CVE-2021-36410.patch - CVE-2021-36411.patch + reject_reference_pics_from_different_sps.patch + use_sps_from_the_image.patch + recycle_sps_if_possible.patch +disable-neon.patch