libde265 (1.0.11-1+deb12u2) bookworm; urgency=medium * Non-maintainer upload by the LTS Team. (Closes: #1059275) * CVE-2023-49465 heap-buffer-overflow in derive_spatial_luma_vector_prediction() * CVE-2023-49467 heap-buffer-overflow in derive_combined_bipredictive_merging_candidates() * CVE-2023-49468 global buffer overflow in read_coding_unit() -- Thorsten Alteholz Fri, 29 Dec 2023 23:03:02 +0100 libde265 (1.0.11-1+deb12u1) bookworm; urgency=medium * Non-maintainer upload by the LTS Team. * CVE-2023-27102 (Closes: #1033257) fix segmentation violation in the function decoder_context::process_slice_segment_header * CVE-2023-27103 fix heap buffer overflow in the function derive_collocated_motion_vectors * CVE-2023-43887 fix buffer over-read in pic_parameter_set::dump * CVE-2023-47471 (Closes: #1056187) fix buffer overflow in the slice_segment_header function -- Thorsten Alteholz Sun, 26 Nov 2023 13:03:02 +0100 libde265 (1.0.11-1) unstable; urgency=medium [ Tobias Frost ] * Make my patch less noisy. [ Joachim Bauch ] * New upstream version 1.0.11 * Unpackaged upstream version 1.0.10 fixes the following CVEs, most caused by the same underlying issue: CVE-2020-21594, CVE-2020-21595, CVE-2020-21596, CVE-2020-21597, CVE-2020-21598, CVE-2020-21599, CVE-2020-21600, CVE-2020-21601, CVE-2020-21602, CVE-2020-21603, CVE-2020-21604, CVE-2020-21605, CVE-2020-21606, CVE-2022-1253, CVE-2022-43236, CVE-2022-43237, CVE-2022-43238, CVE-2022-43239, CVE-2022-43240, CVE-2022-43241, CVE-2022-43242, CVE-2022-43243, CVE-2022-43244, CVE-2022-43245, CVE-2022-43248, CVE-2022-43249, CVE-2022-43250, CVE-2022-43252, CVE-2022-43253, CVE-2022-47655 * Remove patch applied upstream. * Update patches for new upstream version. * Remove copyright entry for file no longer present in upstream. * Update symbols for new upstream version. * Bump "Standards-Version" to 4.6.2 -- Joachim Bauch Thu, 02 Feb 2023 16:06:20 +0100 libde265 (1.0.9-1.1) unstable; urgency=medium * Non-maintainer upload. * Apply patches to mitigate asan failures: reject_reference_pics_from_different_sps.patch and use_sps_from_the_image.patch. * Combined, this two patches fixes: - CVE-2022-43243, CVE-2022-43248, CVE-2022-43253 (Closes: #1025816) - CVE-2022-43235, CVE-2022-43236, CVE-2022-43237, CVE-2022-43238, CVE-2022-43239, CVE-2022-43240, CVE-2022-43241, CVE-2022-43242, CVE-2022-43244, CVE-2022-43250, CVE-2022-43252 (Closes: #1027179) - CVE-2022-47655 * Additional patch recycle_sps_if_possible.patch to avoid over-rejecting valid video streams due to reject_reference_pics_from_different_sps.patch. * Modifying past changelog entries to indicate when vulnerabilities were fixed: - In 1.0.9-1, in total 11 CVE's. see #1004963 and #1014999 - In 1.0.3-1, 1 CVE, see #1029396 * drop unused Build-Depends: libjpeg-dev, libpng-dev and libxv-dev (Closes: #981260) -- Tobias Frost Sun, 22 Jan 2023 13:19:20 +0100 libde265 (1.0.9-1) unstable; urgency=medium * Add "Rules-Requires-Root: no". * New upstream version 1.0.9. Bisecting shows that this version fixed this CVES: - CVE-2020-21598, CVE-2020-21600, CVE-2020-21602 (Closes: #1004963) - CVE-2020-21595, CVE-2020-21597, CVE-2020-21599, CVE-2020-21601, CVE-2020-21603, CVE-2020-21604, CVE-2020-21605, CVE-2020-21606 (Closes: #1014999) * Remove patches now part of upstream release. * Bump "Standards-Version" to 4.6.1 * Add patch to provide "gl_VISIBILITY" macro. * Update symbols for new upstream version. -- Joachim Bauch Tue, 25 Oct 2022 10:15:37 +0200 libde265 (1.0.8-1.1) unstable; urgency=medium * Non-maintainer upload. * Import upstream fixes for CVE-tracked vulnerabilities (Closes: #1014977) - CVE-2022-1253 - CVE-2021-36411 - CVE-2021-36410 - CVE-2021-36409 - CVE-2021-36408 - CVE-2021-35452 -- Philipp Kern Sun, 16 Oct 2022 15:26:20 +0200 libde265 (1.0.8-1) unstable; urgency=medium * Update to debhelper compat level 13 and add debian/not-installed * Imported Upstream version 1.0.8 * Remove patch applied upstream. * Bump "Standards-Version" to 4.5.1 -- Joachim Bauch Wed, 16 Dec 2020 16:32:29 +0100 libde265 (1.0.7-1) unstable; urgency=medium [ Debian Janitor ] * Set upstream metadata fields: Bug-Submit. [ Joachim Bauch ] * Imported Upstream version 1.0.7 * Update patches for new upstream version. * Update symbols for new upstream version. * Bump "Standards-Version" to 4.5.0 -- Joachim Bauch Fri, 25 Sep 2020 13:00:59 +0200 libde265 (1.0.4-1) unstable; urgency=medium [ Ondřej Nový ] * Use debhelper-compat instead of debian/compat [ Joachim Bauch ] * Imported Upstream version 1.0.4 * Enable hardening. * Specify Build-Depends-Package in symbols. * Ignore more internal STL symbols. * Bump "Standards-Version" to 4.4.1 * Update to debhelper compat level 12. [ Debian Janitor ] * Set upstream metadata fields: Bug-Database, Repository, Repository- Browse. [ Sebastian Ramacher ] * debian/rules: Remove obsolete dh_strip override -- Joachim Bauch Fri, 20 Dec 2019 12:17:15 +0100 libde265 (1.0.3-1) unstable; urgency=medium [ Ondřej Nový ] * d/copyright: Use https protocol in Format field * d/control: Set Vcs-* to salsa.debian.org [ Felipe Sateler ] * Change maintainer address to debian-multimedia@lists.debian.org [ Joachim Bauch ] * Imported Upstream version 1.0.3 This version fixes CVE-2020-21594. (Closes: #1029396) * Update patches for new upstream version. * Update symbols for new upstream version. * Update standards version and switch to debhelper 10. -- Joachim Bauch Thu, 19 Apr 2018 11:44:40 +0200 libde265 (1.0.2-2) unstable; urgency=low [ Joachim Bauch ] * Added patch by Andreas Cadhalpun to fix compilation with FFmpeg 2.9 (Closes: #803834) * Updated symbols file for new C++11 symbols. [ Sebastian Ramacher ] * Migrate to automatic dbg packages. * debian/control: Remove some unnecessary Build-Depends. -- Joachim Bauch Mon, 11 Jan 2016 19:12:19 +0100 libde265 (1.0.2-1) unstable; urgency=low * Imported Upstream version 1.0.2 * Added new files to copyright information. * Only export decoder API and update symbols for new version. -- Joachim Bauch Thu, 16 Jul 2015 11:07:46 +0200 libde265 (0.9-1) unstable; urgency=low * Updated symbols to make all "std::vector" symbols optional. * Imported Upstream version 0.9 * Removed deprecated patch to update symbols visibility. Changes were applied upstream. * Upstream supports compiling against Qt5, prefer that over Qt4. * Added new symbols from new upstream release. -- Joachim Bauch Tue, 16 Sep 2014 18:47:14 +0200 libde265 (0.8-1) unstable; urgency=low * Initial release. (Closes: #744190) -- Joachim Bauch Fri, 08 Aug 2014 17:23:37 +0200