Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-lts-changes@lists.debian.org> , <dispatch@tracker.debian.org>
Subject: Accepted ffmpeg 7:4.3.9-0+deb11u2 (source) into oldoldstable-security
Date: Fri, 16 Jan 2026 21:30:24 +0000
Signed by: Carlos Henrique Lima Melara <charles@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 15 Dec 2025 22:50:15 -0300
Source: ffmpeg
Architecture: source
Version: 7:4.3.9-0+deb11u2
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Carlos Henrique Lima Melara <charlesmelara@riseup.net>
Changes:
 ffmpeg (7:4.3.9-0+deb11u2) bullseye-security; urgency=medium
 .
   * Non-maintainer upload by the LTS Team.
   * debian/patches/:
       - CVE-2023-6603.patch: cherry-pick from upstream.
           + CVE-2023-6603: A flaw was found in FFmpeg's HLS playlist parsing.
             This vulnerability allows a denial of service via a maliciously
             crafted HLS playlist that triggers a null pointer dereference
             during initialization.
       - CVE-2024-36615-1.patch: backport from upstream.
           + CVE-2024-36615: FFmpeg n7.0 has a race condition vulnerability in
             the VP9 decoder. This could lead to a data race if video encoding
             parameters were being exported, as the side data would be attached
             in the decoder thread while being read in the output thread.
       - CVE-2024-36615-2.patch: backport regression fix from upstream.
       - CVE-2025-1594.patch: cherry-pick from upstream.
           + CVE-2025-1594: A vulnerability, which was classified as critical,
             was found in FFmpeg up to 7.1. This affects the function
             ff_aac_search_for_tns of the file libavcodec/aacenc_tns.c of the
             component AAC Encoder. The manipulation leads to stack-based
             buffer overflow. It is possible to initiate the attack remotely.
             The exploit has been disclosed to the public and may be used.
       - CVE-2025-7700.patch: backport from upstream.
           + CVE-2025-7700: A flaw was found in FFmpeg’s ALS audio decoder,
             where it does not properly check for memory allocation failures.
             This can cause the application to crash when processing certain
             malformed audio files. While it does not lead to data theft or
             system control, it can be used to disrupt services and cause a
             denial of service.
       - CVE-2025-9951-{1,2}.patch: cherry-pick from upstream.
           + CVE-2025-9951: A heap-buffer-overflow write exists in jpeg2000dec
             FFmpeg which allows an attacker to potentially gain remote code
             execution or cause denial of service via the channel definition
             cdef atom of JPEG2000.
       - fix-use-of-uninitialized-memory.patch: cherry-pick from upstream.
       - CVE-2025-10256.patch: backport from upstream.
           + CVE-2025-10256: A potential NULL pointer dereference vulnerability
             exists in FFmpeg's Firequalizer filter due to a missing check on
             the return value of av_malloc_array() in the config_input()
             function. If the memory allocation for s->dump_buf fails, the
             subsequent dereference of the returned pointer may cause a crash
             (denial of service).
       - CVE-2025-63757.patch: cherry-pick from upstream.
           + CVE-2025-63757: Integer overflow vulnerability in the
             yuv2ya16_X_c_template function in libswscale/output.c in FFmpeg 8.0.
   * debian/salsa-ci.yml: add (E)LTS pipeline for bullseye.
Checksums-Sha1:
 8fad4b9f3d0c8df7c4bd485a753672caf1c5e603 5476 ffmpeg_4.3.9-0+deb11u2.dsc
 8456e0f451e3e07e5897061178a5bbe37e5960fb 9410664 ffmpeg_4.3.9.orig.tar.xz
 c1f5bd0835a2c54d1e728ad5e83c4390dbede500 520 ffmpeg_4.3.9.orig.tar.xz.asc
 8b2b4b74f899e060cba7eb26080cdf553dfecdc9 97920 ffmpeg_4.3.9-0+deb11u2.debian.tar.xz
 bf35650ed90071cd4ab4229335c127e37f90bcfe 6211 ffmpeg_4.3.9-0+deb11u2_source.buildinfo
Checksums-Sha256:
 cbd6ac71b58d5e9199b45372c2a4100c397dc421c585ad0829b62c4bde48eef5 5476 ffmpeg_4.3.9-0+deb11u2.dsc
 9e2a718f3956fa87a7dbc73e647d74171bf23b8964b6478d868b9aa623d03374 9410664 ffmpeg_4.3.9.orig.tar.xz
 df377d228c09b8474c4fdf07a615c040b7c71a0c39119a00d5d68dadf7838ed5 520 ffmpeg_4.3.9.orig.tar.xz.asc
 0fcf6ba4809d5b067bb5625a04379cd4c747da3e6b01a830b5860d338bbecc55 97920 ffmpeg_4.3.9-0+deb11u2.debian.tar.xz
 b20dfc49c2dc45b07c4c65ba20f10787b6eac7840208264254e41680e4ce877e 6211 ffmpeg_4.3.9-0+deb11u2_source.buildinfo
Files:
 4900c8f4538bd1665187a676d9680080 5476 video optional ffmpeg_4.3.9-0+deb11u2.dsc
 66228b6dc6620d047ac48c9d685bb826 9410664 video optional ffmpeg_4.3.9.orig.tar.xz
 2490def9252bc9a650765dfb7ff585e7 520 video optional ffmpeg_4.3.9.orig.tar.xz.asc
 61ba8225145bfb84f10e2972c2d2b941 97920 video optional ffmpeg_4.3.9-0+deb11u2.debian.tar.xz
 087bdbe999f1d77338ff8fa270ffd1f5 6211 video optional ffmpeg_4.3.9-0+deb11u2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJNBAEBCgA3FiEECgzx8d8+AINglLHJt4M9ggJ8mQsFAmlqqWkZHGNoYXJsZXNt
ZWxhcmFAcmlzZXVwLm5ldAAKCRC3gz2CAnyZC7F4D/9kfqLjNL/hKX420Y9FBalz
zlOnTw2CY8mB2mn5utG1V+K0/NcJ/q6w7VXn+LBTjcWZiWrXjHwRKes155kWdzru
4RU5Jmm7lq/kiMPVM8mWuUUrtRb2fxHtI82OpTp1oH/eGVLxee5oaP+f17mECGs9
jF8YnlRMbgqq0vyLBC2oFL0C1prp49Sf2ZxL/9eox1vZoT791FPlEhWNfq+Gc55p
Oj/WS0vb96jR643skddTFV/NKyhOTmDmbefq+z7/efKeSmqMIMZ+jKZf4H43M3mJ
ya8IJ6F97uzUWyRD7Yf6ypaV5gQEVk8ahmUBbJOwDv5EyK4WYdFty/GUoxVDL5wj
0O59D4C5xvhl43N3p08vQvCc+f/OE6I0VItPdDgTEqvNJaxpUkYhlLXoxXLTNxOq
V+objDUHzosfIKjpxuQ0rCViZqQSITT10/2WEzV3vrR2ZGlHEXjDmtKnPfHT7oxR
kdTFkkmHtDo0RsaIeOpp3Za+e0NsMXLU/UrHdQihjHKCPJP+Oklaybk9/su7SRPL
NjXD6lWgG9pI+0WVeeBYOs+iWT3T2JRlZXPZO2wvYUcfan1wGOE89WYnt1KoKmMa
OgnUjSq+FD69LTmQ3tUYpfssqfwQYk2fmWmAuKsMg/U8F6pHAP7jUAmpaJmmfo2q
YkfnSQCOu96VG1RPRxVYNw==
=mf4c
-----END PGP SIGNATURE-----
News for package ffmpeg
