Author: Marc Deslauriers
Revision Date: 2016-12-07 15:36:50 UTC

* SECURITY UPDATE: Updated to 9.20 to fix various crashes with
  invalid-free, corrupted double-linked list or out-of-bounds read
  (LP: #1643467)
  - No CVE number

Author: Marc Deslauriers
Revision Date: 2016-12-07 15:36:50 UTC

* SECURITY UPDATE: Updated to 9.20 to fix various crashes with
  invalid-free, corrupted double-linked list or out-of-bounds read
  (LP: #1643467)
  - No CVE number

Author: Marc Deslauriers
Revision Date: 2016-04-01 08:30:13 UTC

* SECURITY UPDATE: invalid memory access via crafted MJPEG data
  - debian/patches/CVE-2014-8541.patch: check for pixel format changes in
    libavcodec/mjpegdec.c.
  - CVE-2014-8541
* SECURITY UPDATE: out of array access in ff_mjpeg_decode_sof
  - debian/patches/CVE-2015-1872.patch: check number of components in
    libavcodec/mjpegdec.c.
  - CVE-2015-1872
* SECURITY UPDATE: out of bounds array access in msrle_decode_pal4
  - debian/patches/CVE-2015-3395.patch: determine frame size in
    libavcodec/msrledec.c.
  - CVE-2015-3395
* SECURITY UPDATE: size issue in ff_h263_decode_picture_header
  - debian/patches/CVE-2015-5479.patch: check both dimensions in
    libavcodec/ituh263dec.c.
  - CVE-2015-5479
* SECURITY UPDATE: out of bounds array access in decode_ihdr_chunk
  - debian/patches/CVE-2015-6818.patch: only allow one IHDR chunk in
    libavcodec/pngdec.c.
  - CVE-2015-6818
* SECURITY UPDATE: out of bounds array access in ff_sbr_apply
  - debian/patches/CVE-2015-6820.patch: check that the element type
    matches in libavcodec/aacsbr.c, libavcodec/sbr.h.
  - CVE-2015-6820
* SECURITY UPDATE: uninitialized memory access in sws_init_context
  - debian/patches/CVE-2015-6824.patch: clear buffers in
    libswscale/utils.c
  - CVE-2015-6824
* SECURITY UPDATE: invalid pointer use in ff_rv34_decode_init_thread_copy
  - debian/patches/CVE-2015-6826.patch: clear pointers in
    libavcodec/rv34.c.
  - CVE-2015-6826
* SECURITY UPDATE: integer overflow in ff_ivi_init_planes
  - debian/patches/CVE-2015-8364.patch: check image dimensions in
    libavcodec/ivi_common.c.
  - CVE-2015-8364
* SECURITY UPDATE: out of bounds array access in smka_decode_frame
  - debian/patches/CVE-2015-8365.patch: validate data size in
    libavcodec/smacker.c.
  - CVE-2015-8365
* SECURITY UPDATE: cross-origin attack and arbitrary file read via the
  concat protocol
  - debian/confflags: disable concat protocol.
  - CVE-2016-1897
  - CVE-2016-1898
* SECURITY UPDATE: integer overflow in asf_write_packet
  - debian/patches/CVE-2016-2326.patch: check pts in
    libavformat/asfenc.c.
  - CVE-2016-2326
* SECURITY UPDATE: out of bounds array access via tga file
  - debian/patches/CVE-2016-2330.patch: fix lzw buffer size in
    libavcodec/gif.c.
  - CVE-2016-2330

Author: Marc Deslauriers
Revision Date: 2016-04-01 08:30:13 UTC

* SECURITY UPDATE: invalid memory access via crafted MJPEG data
  - debian/patches/CVE-2014-8541.patch: check for pixel format changes in
    libavcodec/mjpegdec.c.
  - CVE-2014-8541
* SECURITY UPDATE: out of array access in ff_mjpeg_decode_sof
  - debian/patches/CVE-2015-1872.patch: check number of components in
    libavcodec/mjpegdec.c.
  - CVE-2015-1872
* SECURITY UPDATE: out of bounds array access in msrle_decode_pal4
  - debian/patches/CVE-2015-3395.patch: determine frame size in
    libavcodec/msrledec.c.
  - CVE-2015-3395
* SECURITY UPDATE: size issue in ff_h263_decode_picture_header
  - debian/patches/CVE-2015-5479.patch: check both dimensions in
    libavcodec/ituh263dec.c.
  - CVE-2015-5479
* SECURITY UPDATE: out of bounds array access in decode_ihdr_chunk
  - debian/patches/CVE-2015-6818.patch: only allow one IHDR chunk in
    libavcodec/pngdec.c.
  - CVE-2015-6818
* SECURITY UPDATE: out of bounds array access in ff_sbr_apply
  - debian/patches/CVE-2015-6820.patch: check that the element type
    matches in libavcodec/aacsbr.c, libavcodec/sbr.h.
  - CVE-2015-6820
* SECURITY UPDATE: uninitialized memory access in sws_init_context
  - debian/patches/CVE-2015-6824.patch: clear buffers in
    libswscale/utils.c
  - CVE-2015-6824
* SECURITY UPDATE: invalid pointer use in ff_rv34_decode_init_thread_copy
  - debian/patches/CVE-2015-6826.patch: clear pointers in
    libavcodec/rv34.c.
  - CVE-2015-6826
* SECURITY UPDATE: integer overflow in ff_ivi_init_planes
  - debian/patches/CVE-2015-8364.patch: check image dimensions in
    libavcodec/ivi_common.c.
  - CVE-2015-8364
* SECURITY UPDATE: out of bounds array access in smka_decode_frame
  - debian/patches/CVE-2015-8365.patch: validate data size in
    libavcodec/smacker.c.
  - CVE-2015-8365
* SECURITY UPDATE: cross-origin attack and arbitrary file read via the
  concat protocol
  - debian/confflags: disable concat protocol.
  - CVE-2016-1897
  - CVE-2016-1898
* SECURITY UPDATE: integer overflow in asf_write_packet
  - debian/patches/CVE-2016-2326.patch: check pts in
    libavformat/asfenc.c.
  - CVE-2016-2326
* SECURITY UPDATE: out of bounds array access via tga file
  - debian/patches/CVE-2016-2330.patch: fix lzw buffer size in
    libavcodec/gif.c.
  - CVE-2016-2330

Author: Steve Langasek
Revision Date: 2015-08-11 06:52:07 UTC

No-change rebuild against libjack-jackd2-0v5

Author: Steve Langasek
Revision Date: 2015-08-11 06:52:07 UTC

No-change rebuild against libjack-jackd2-0v5

Author: Matthias Klose
Revision Date: 2014-03-24 05:55:46 UTC

No-change rebuild for x264 soname bump.

Author: Sebastian Ramacher
Revision Date: 2015-01-17 20:56:19 UTC

* New upstream release fixing multiple security issues. (Closes: #773626)
  - h264: restore a block mistakenly removed in e10fd08a
  - on2avc: check number of channels (CVE-2014-8549)
  - smc: fix the bounds check (CVE-2014-8548)
  - gifdec: refactor interleave end handling (CVE-2014-8547)
  - mmvideo: check frame dimensions (CVE-2014-8543)
  - jvdec: check frame dimensions (CVE-2014-8542)
  - mjpegdec: check for pixel format changes (CVE-2014-8541)
  - mov: avoid a memleak when multiple stss boxes are present
  - vc1: Do not assume seek happens after decoding
  - avconv: Use the mpeg12 private option scan_offset (Closes: #773055)
  - xsub: Support DXSA subtitles
  - mp3dec: fix reading the Xing tag
  - matroskaenc: write correct Display{Width, Height} in stereo encoding
  - configure: Fix enabling memalign_hack automatically
  - mp3enc: fix a triggerable assert
  - latm: Do not give a score for a single instance
  - mp3: Tweak the probe scores
  - matroskaenc: write correct Display{Width, Height} in stereo encoding
  - coverity: Fix most of the reported warnings and issues
* debian/control: Add myself to Uploaders.

Author: Sebastian Ramacher
Revision Date: 2015-01-17 20:56:19 UTC

* New upstream release fixing multiple security issues. (Closes: #773626)
  - h264: restore a block mistakenly removed in e10fd08a
  - on2avc: check number of channels (CVE-2014-8549)
  - smc: fix the bounds check (CVE-2014-8548)
  - gifdec: refactor interleave end handling (CVE-2014-8547)
  - mmvideo: check frame dimensions (CVE-2014-8543)
  - jvdec: check frame dimensions (CVE-2014-8542)
  - mjpegdec: check for pixel format changes (CVE-2014-8541)
  - mov: avoid a memleak when multiple stss boxes are present
  - vc1: Do not assume seek happens after decoding
  - avconv: Use the mpeg12 private option scan_offset (Closes: #773055)
  - xsub: Support DXSA subtitles
  - mp3dec: fix reading the Xing tag
  - matroskaenc: write correct Display{Width, Height} in stereo encoding
  - configure: Fix enabling memalign_hack automatically
  - mp3enc: fix a triggerable assert
  - latm: Do not give a score for a single instance
  - mp3: Tweak the probe scores
  - matroskaenc: write correct Display{Width, Height} in stereo encoding
  - coverity: Fix most of the reported warnings and issues
* debian/control: Add myself to Uploaders.

Author: Reinhard Tartler
Revision Date: 2014-09-13 15:36:38 UTC

* Upload final 11 release
  - matroskadec: parse stereo mode on decoding (Closes: #757185)

Author: Reinhard Tartler
Revision Date: 2014-09-13 15:36:38 UTC

* Upload final 11 release
  - matroskadec: parse stereo mode on decoding (Closes: #757185)

Author: Marc Deslauriers
Revision Date: 2014-07-15 07:31:39 UTC

Update to 0.8.13 to fix multiple security issues (LP: #1341216)

Author: Marc Deslauriers
Revision Date: 2014-07-15 07:31:39 UTC

Update to 0.8.13 to fix multiple security issues (LP: #1341216)

Author: Reinhard Tartler
Revision Date: 2014-05-29 23:47:28 UTC

replace ppc64el and arm64 ftbfs patches with version provided by upstream

Author: Reinhard Tartler
Revision Date: 2014-05-17 17:03:21 UTC

Remove obsolete debian/libav-tools.maintscript. It is inteneded for
upgrade ffserver.conf from ancient versions (pre-precise), but causes
dpkg warnings on upgrades. LP: #1315672

Author: Matthias Klose
Revision Date: 2014-03-24 05:55:46 UTC

No-change rebuild for x264 soname bump.

Author: Marc Deslauriers
Revision Date: 2014-02-06 12:09:43 UTC

Update to 0.8.10 to fix multiple security issues (LP: #1277173)

Author: Marc Deslauriers
Revision Date: 2014-02-06 12:09:43 UTC

Update to 0.8.10 to fix multiple security issues (LP: #1277173)

Author: Marc Deslauriers
Revision Date: 2013-11-09 10:48:01 UTC

Update to 0.8.9 to fix multiple security issues (LP: #1249621)

Author: Marc Deslauriers
Revision Date: 2013-11-09 10:48:01 UTC

Update to 0.8.9 to fix multiple security issues (LP: #1249621)

Author: William Grant
Revision Date: 2013-10-11 16:59:06 UTC

* debian/patches/{05-aarch64-support.patch,06-aarch64-pie.patch}:
  - Backport basic aarch64 support from git.

Author: William Grant
Revision Date: 2013-10-11 16:59:06 UTC

* debian/patches/{05-aarch64-support.patch,06-aarch64-pie.patch}:
  - Backport basic aarch64 support from git.

Author: Jackson Doak
Revision Date: 2013-07-10 23:23:09 UTC

Merged from debian unstable

Author: Reinhard Tartler
Revision Date: 2013-03-30 22:41:36 UTC

Put back the dh_strip invocations. Otherwise, no .ddebs will be
available at all.

Author: Reinhard Tartler
Revision Date: 2013-03-30 22:41:36 UTC

Put back the dh_strip invocations. Otherwise, no .ddebs will be
available at all.

Author: Marc Deslauriers
Revision Date: 2013-01-24 13:31:43 UTC

* SECURITY UPDATE: unspecified security issue in vp56.c (LP: #1104019)
  - debian/patches/CVE-2012-2783.patch: release frames on error in
    libavcodec/vp56.c.
  - CVE-2012-2783
* SECURITY UPDATE: unspecified security issue in Indeo (LP: #1104019)
  - debian/patches/CVE-2012-2791.patch: check that scan pattern is set
    before using it in libavcodec/ivi_common.c.
  - CVE-2012-2791
* SECURITY UPDATE: double free vulnerability in mpeg_decode_frame
  - debian/patches/CVE-2012-2803.patch: do not decode extradata more than
    once in libavcodec/mpeg12.c.
  - CVE-2012-2803
* SECURITY UPDATE: issue in AAC decoding
  - debian/patches/CVE-2012-5144.patch: fix off-by-one in
    libavcodec/aacdec.c.
  - CVE-2012-5144

Author: Marc Deslauriers
Revision Date: 2013-01-24 13:31:43 UTC

* SECURITY UPDATE: unspecified security issue in vp56.c (LP: #1104019)
  - debian/patches/CVE-2012-2783.patch: release frames on error in
    libavcodec/vp56.c.
  - CVE-2012-2783
* SECURITY UPDATE: unspecified security issue in Indeo (LP: #1104019)
  - debian/patches/CVE-2012-2791.patch: check that scan pattern is set
    before using it in libavcodec/ivi_common.c.
  - CVE-2012-2791
* SECURITY UPDATE: double free vulnerability in mpeg_decode_frame
  - debian/patches/CVE-2012-2803.patch: do not decode extradata more than
    once in libavcodec/mpeg12.c.
  - CVE-2012-2803
* SECURITY UPDATE: issue in AAC decoding
  - debian/patches/CVE-2012-5144.patch: fix off-by-one in
    libavcodec/aacdec.c.
  - CVE-2012-5144

Author: Colin Watson
Revision Date: 2012-10-01 11:48:25 UTC

Temporarily fudge the versioning of libavcodec-dev's dependency on
libavcodec-extra-53 to cope with the botched merge of libav-extra.

Author: Jason Gerard DeRose
Revision Date: 2012-07-30 20:56:15 UTC

Added changelog entry

Author: Jason Gerard DeRose
Revision Date: 2012-07-30 20:10:15 UTC

Oops, distro should be precise-proposed (thanks, slangasek)

Author: Marc Deslauriers
Revision Date: 2012-06-12 10:26:36 UTC

* Update to 0.7.6 to fix multiple security issues. (LP: #1012132)
  - CVE-2011-3929
  - CVE-2011-3936
  - CVE-2011-3940
  - CVE-2011-3945
  - CVE-2011-3947
  - CVE-2011-3951
  - CVE-2011-3952
  - CVE-2012-0850
  - CVE-2012-0851
  - CVE-2012-0852
  - CVE-2012-0853
  - CVE-2012-0858
  - CVE-2012-0859
  - CVE-2012-0947

Author: Marc Deslauriers
Revision Date: 2012-06-12 10:26:36 UTC

* Update to 0.7.6 to fix multiple security issues. (LP: #1012132)
  - CVE-2011-3929
  - CVE-2011-3936
  - CVE-2011-3940
  - CVE-2011-3945
  - CVE-2011-3947
  - CVE-2011-3951
  - CVE-2011-3952
  - CVE-2012-0850
  - CVE-2012-0851
  - CVE-2012-0852
  - CVE-2012-0853
  - CVE-2012-0858
  - CVE-2012-0859
  - CVE-2012-0947

Author: Matthieu Baerts
Revision Date: 2012-06-10 14:53:25 UTC

* debian/ffmpeg.install and debian/libav-tools.install:
 - Moved all ffmpeg binaries and manpages to ffmpeg package
   (LP: #1011136)

Author: Micah Gersten
Revision Date: 2012-03-21 21:18:24 UTC

* New upstream bug and security fix release (FFe: LP: #960949)
  - fixes the following CVEs:
    CVE-2012-0848, CVE-2012-0853, CVE-2012-0858, CVE-2011-3929,
    CVE-2011-3936, CVE-2011-3937, CVE-2011-3940, CVE-2011-3945,
    CVE-2011-3947, CVE-2011-3951, CVE-2011-3952

* Pull fix from Debian git to fix installation of avserver.conf and
  recordshow.sh into libav-tools; Thanks to Julien Cristau for spotting this!
  - update debian/rules

Author: Marc Deslauriers
Revision Date: 2012-01-03 15:31:49 UTC

* Update to 0.7.3 to fix multiple security issues (LP: #911811):
  - SECURITY UPDATE: denial of service and possible code execution via
    malformed file containing QDM2 stream
    - CVE-2011-4351
  - SECURITY UPDATE: denial of service and possible code execution via
    malformed file containing VP3 stream
    - CVE-2011-4352
  - SECURITY UPDATE: denial of service and possible code execution via
    malformed file containing VP5 or VP6 streams
    - CVE-2011-4353
  - SECURITY UPDATE: denial of service and possible code execution via
    malformed VMD file
    - CVE-2011-4364
  - SECURITY UPDATE: denial of service and possible code execution via
    malformed file containing svq1 stream
    - CVE-2011-4579

Author: Marc Deslauriers
Revision Date: 2012-01-03 15:49:39 UTC

* Update to 0.6.4 to fix multiple security issues (LP: #911811):
  - SECURITY UPDATE: denial of service and possible code execution via
    malformed Matroska file
    - CVE-2011-3504
  - SECURITY UPDATE: denial of service and possible code execution via
    malformed file containing QDM2 stream
    - CVE-2011-4351
  - SECURITY UPDATE: denial of service and possible code execution via
    malformed file containing VP3 stream
    - CVE-2011-4352
  - SECURITY UPDATE: denial of service and possible code execution via
    malformed file containing VP5 or VP6 streams
    - CVE-2011-4353
  - SECURITY UPDATE: denial of service and possible code execution via
    malformed VMD file
    - CVE-2011-4364
  - SECURITY UPDATE: denial of service and possible code execution via
    malformed file containing svq1 stream
    - CVE-2011-4579
* Removed upstreamed patches:
  - CVE-2011-1196.patch
  - CVE-2011-1931.patch
  - CVE-2011-3362.patch

Author: Reinhard Tartler
Revision Date: 2011-10-01 00:22:07 UTC

* Merge from debian, remaining changes:
  - don't build against libfaad, libdirac, librtmp and libopenjpeg,
    lame, xvid, x264 (all in universe)
  - not installing into multiarch directories
* This new upstream release has basically merged in all 70 patches that
  are present in 4:0.7.1-7ubuntu2, plus some additional, similarily
  focused ones.

Author: Reinhard Tartler
Revision Date: 2011-03-20 12:09:31 UTC

* Merge from debian. Remaining changes:
  - don't build against libfaad, libdirac, librtmp and libopenjpeg
    (all in universe)
  - explicitly --enable-pic on powerpc, cf. LP #654666
  - different arm configure bits that should probably better be
    merged into debian