faad2 (2.8.0~cvs20150510-1ubuntu0.1) xenial-security; urgency=medium * SECURITY UPDATE: Various issues were discovered in faad2 that can cause DoS (large loop and CPU consumption) via a crafted mp4 file. - debian/patches/CVE-2017-92xx.patch: Fix multiple vulnerabilities. - CVE-2017-9218 - CVE-2017-9219 - CVE-2017-9220 - CVE-2017-9221 - CVE-2017-9222 - CVE-2017-9223 - CVE-2017-9253 - CVE-2017-9254 - CVE-2017-9255 - CVE-2017-9256 - CVE-2017-9257 -- Eduardo Barretto Fri, 22 Feb 2019 08:22:51 -0300 faad2 (2.8.0~cvs20150510-1) unstable; urgency=medium * New upstream CVS snapshot. + Does not crash when given ADTS AAC file with large ID3v2 tag anymore, thanks Mike Crowe for the bug report and patch (Closes: #689712). + Does not crash with the Mayhem testcase anymore, thanks Alexandre Rebert for the bug report (Closes: #715882). * Add debian/README.source to document how the Debian source tarball was created and force xz compression in debian/gbp.conf. * Remove all patches that were either applied, solved differently or disapproved upstream: + autotools-compat.patch: Disapproved upstream. + noinst-mp4ff.patch: Applied upstream. + manpage.patch: Applied upstream. + incorrect_pointer_size.patch: Does not apply anymore. + bpa-stdin.patch: Applied upstream. + path_max.patch: Applied upstream. + fix_ftbfs_with_gcc4.5.patch: Disapproved upstream. + symbol-visibility.patch: Does not apply anymore. + libfaad-drm.patch: Applied upstream. * Ship upstream's own frontend and API documentation manpages. * Update Debian packaging copyright years. * Remove '__DATE__' CPP macro for reproducible builds. -- Fabian Greffrath Mon, 11 May 2015 13:59:49 +0200 faad2 (2.7-9) unstable; urgency=medium * Build the DRM version of the library as well as the normal version, thanks Julian Cable for the idea and the patch! * Remove Andres Mejia from Uploaders (Closes: #743545). * Remove "DM-Upload-Allowed" field from debian/control. * Mark the faad2-dbg package as "Multi-Arch: same" and remove faad ("Multi-Arch: no") from its Dependencies. * Remove debian/source/local-options, they are default now. * Add faad.lintian-overrides for a spelling error that is used in the id3 specification. * Fix "vcs-field-not-canonical" lintian warning. * Fix "'visibility' attribute ignored on non-class types" compiler warnings introduced by our symbol versioning patch. * Fix most autotools warnings. * Bump "Standards-Version" to 3.9.6. * Run "wrap-and-sort -asb". * Add extensive API documentation in libfaad.3, courtesy of Julian Cable. -- Fabian Greffrath Thu, 30 Apr 2015 18:04:42 +0200 faad2 (2.7-8) unstable; urgency=low [ Fabian Greffrath ] * debian/patches/path_max.patch: + Dynamically allocate file name buffers, instead of relying on PATH_MAX. * Set appropriate symbol visibility attributes. * Rebuild autofoo with dh-autoreconf. * Add debian/libfaad2.symbols file. * Multi-Archify. * Remove redundant license blurb from debian/copyright. * libmp4ff ist not packaged, so do not install it either. * Simplify debian/*.install accordingly. [ Andres Mejia ] * Make dev package multiarch installable. * Bump to Standards-Version 3.9.3. -- Andres Mejia Sun, 18 Mar 2012 09:07:55 -0400 faad2 (2.7-7) unstable; urgency=low [ Andres Mejia ] * Update to my @debian.org email. * Update gbp.conf. [ Reinhard Tartler ] * Update Vcs-Browser field * bump standards version (no changes needed) [ Fabian Greffrath ] * Convert to 3.0 (quilt) source format. * Re-enable two patches that got lost in the 2.7-6 upload: - debian/patches/bpa-stdin.patch + Apply SqueezeCenter patches from FreeBSD that enable streaming with BBCiPlayer and ezstream (LP: #470562). - debian/patches/path_max.patch + Extend file name buffers for longer path names (LP: #475050). * Merge patch from 2.7-6ubuntu1: - debian/patches/fix_ftbfs_with_gcc4.5.patch + Correctly declare lrintf in libfaad/common.h to avoid a conflict of declaration in mathcalls.h to fix FTBFS on i386 * Improve debian/copyright. -- Fabian Greffrath Wed, 03 Aug 2011 14:19:49 +0200 faad2 (2.7-6) unstable; urgency=high [ Alessio Treglia ] * Fix segmentation fault in faad due to an incorrect pointer size (Closes: #603807, LP: #665802). * Add gbp config file. [ Andres Mejia ] * Revert changes in 2.7-5. Upload of 2.7-5 was unintentionally done. * Refresh patches. -- Andres Mejia Mon, 22 Nov 2010 19:17:36 -0500 faad2 (2.7-5) unstable; urgency=low * Update my e-mail address. * Apply SqueezeCenter patches from FreeBSD that enable streaming with BBCiPlayer and ezstream (LP: #470562). * Extend file name buffers for longer path names (LP: #475050). -- Fabian Greffrath Mon, 16 Aug 2010 16:43:14 +0200 faad2 (2.7-4) unstable; urgency=low * debian/control: Do not build the shared libmp4ff library packages anymore (Closes: #550679). The use of mp4ff from faad2 is discouraged by upstream, see . * Removed debian/patches/force-include-stdint_h.patch. * Removed debian/patches/libmp4ff-shared-lib.patch. * Removed debian/patches/70_automake-1.9.patch. * Added debian/README.source. * Bumped Standards-Version to 3.8.3. * Raised Build-Depends to debhelper (>= 7.0.50~), thanks lintian. * Removed debian/libmp4ff-dev.install and debian/libmp4ff0.install. * Removed libmp4ff0 from Depends for faad2-dbg. -- Fabian Greffrath Mon, 26 Oct 2009 12:04:41 +0100 faad2 (2.7-3) UNRELEASED; urgency=low * debian/patches/force-include-stdint_h.patch: New patch to force inclusion of stdint.h (Closes: #550679). -- Fabian Greffrath Thu, 15 Oct 2009 18:00:41 +0200 faad2 (2.7-2) unstable; urgency=low * upload to unstable. -- Reinhard Tartler Wed, 16 Sep 2009 21:07:45 +0200 # For older changelog entries, run 'apt-get changelog libfaad2'