[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] MFSA 2009-63
From:       Tomas Hoger <thoger () redhat ! com>
Date:       2009-10-30 18:35:34
Message-ID: 20091030193534.395d6b22 () redhat ! com
[Download RAW message or body]

Hi Reed!

On Fri, 30 Oct 2009 10:15:23 -0500 Reed Loden <reed@reedloden.com>
wrote:

> I think we used one CVE per library upgrade, so three in total
> (libvorbis, liboggz, liboggplay).

Correct.  And the fixes brought in as part of those updates are
possible spread across multiple upstream versions, which is a common
reason to do a CVE split.

> Bug 499512 seems to be a liboggplay issue fixed by bug 512328.

It's listed among libvorbis bugs and I wasn't able to tell if there was
only liboggplay-side issue.

> However, if you notice any issues yourself with the advisory, please
> feel free to report any issues to me or to security@m.o.

I've only added a comment to 515889, which seems to be a dupe of one
older vorbis CVE.

Thank you!

-- 
Tomas Hoger / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]