From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <cygwin-apps-return-35726-listarch-cygwin-apps=sources.redhat.com@cygwin.com>
Received: (qmail 16033 invoked by alias); 20 Feb 2015 06:53:33 -0000
Mailing-List: contact cygwin-apps-help@cygwin.com; run by ezmlm
Precedence: bulk
Sender: cygwin-apps-owner@cygwin.com
List-Id: <cygwin-apps.cygwin.com>
List-Subscribe: <mailto:cygwin-apps-subscribe@cygwin.com>
List-Archive: <http://sourceware.org/ml/cygwin-apps/>
List-Post: <mailto:cygwin-apps@cygwin.com>
List-Help: <mailto:cygwin-apps-help@cygwin.com>, <http://sourceware.org/lists.html#faqs>
Mail-Followup-To: cygwin-apps@cygwin.com
Received: (qmail 16023 invoked by uid 89); 20 Feb 2015 06:53:32 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-1.6 required=5.0 tests=AWL,BAYES_00,SPF_HELO_PASS autolearn=ham version=3.3.2
X-HELO: mx1.redhat.com
Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (AES256-GCM-SHA384 encrypted) ESMTPS; Fri, 20 Feb 2015 06:53:31 +0000
Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22])	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id t1K6rTO0017843	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL)	for <cygwin-apps@cygwin.com>; Fri, 20 Feb 2015 01:53:30 -0500
Received: from YAAKOV04.redhat.com ([10.10.116.24])	by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t1K6rS7T012585	(version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NO)	for <cygwin-apps@cygwin.com>; Fri, 20 Feb 2015 01:53:29 -0500
Message-ID: <1424415222.3460.124.camel@cygwin.com>
Subject: Re: [SECURITY] vorbis-tools
From: Yaakov Selkowitz <yselkowitz@cygwin.com>
To: cygwin-apps@cygwin.com
Date: Fri, 20 Feb 2015 06:53:00 -0000
In-Reply-To: <1424234538.11028.104.camel@cygwin.com>
References: <1424234538.11028.104.camel@cygwin.com>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-IsSubscribed: yes
X-SW-Source: 2015-02/txt/msg00269.txt.bz2

On Tue, 2015-02-17 at 22:42 -0600, Yaakov Selkowitz wrote:
> David,
> 
> vorbis-tools requires a patch for CVE-2014-9640:
> 
> http://pkgs.fedoraproject.org/cgit/vorbis-tools.git/plain/vorbis-tools-1.4.0-bz1185558.patch

And now another one for CVE-2014-9638 and CVE-2014-9639:

http://pkgs.fedoraproject.org/cgit/vorbis-tools.git/plain/vorbis-tools-1.4.0-CVE-2014-9638-CVE-2014-9639.patch

> There are other patches in that repo that you may wish to consider
> adding; at a minimum, I would recommend the patch for vcut:
> 
> http://pkgs.fedoraproject.org/cgit/vorbis-tools.git/plain/vorbis-tools-1.4.0-bz1003607.patch

--
Yaakov