Re: MFSA 2009-63

[Tomas Hoger <thoger () redhat com>]

Hi Reed!

On Fri, 30 Oct 2009 10:15:23 -0500 Reed Loden <reed () reedloden com>
wrote:

> I think we used one CVE per library upgrade, so three in total
> (libvorbis, liboggz, liboggplay).

Correct.  And the fixes brought in as part of those updates are
possible spread across multiple upstream versions, which is a common
reason to do a CVE split.

> Bug 499512 seems to be a liboggplay issue fixed by bug 512328.

It's listed among libvorbis bugs and I wasn't able to tell if there was
only liboggplay-side issue.

> However, if you notice any issues yourself with the advisory, please
> feel free to report any issues to me or to security@m.o.

I've only added a comment to 515889, which seems to be a dupe of one
older vorbis CVE.

Thank you!

-- 
Tomas Hoger / Red Hat Security Response Team