faad2 security fixes only in latest version
faad2 has a few CVE's which are fixed in the latest release only. @Leo opened a couple of merge requests to update these in older stable branches, as this package is in main.
- !102 (closed) main/faad2: upgrade to 2.9.0
- !423 (closed) [3.10] main/faad2: security upgrade to 2.9.0
- !424 (closed) [3.9] main/faad2: security upgrade to 2.9.0
- !425 (closed) [3.8] main/faad2: security upgrade to 2.9.0
The problem is that this would upgrade faad from 2.7.x to 2.9.x in our stable branches. How should we handle this? As older versions do not receive any fixes, it seems that faad2 does not really belong in main and should be moved to community.
ps. I accidentally already pushed the upgrade for 3.10 before I realized that this was a larger upgrade.
So 2 questions:
-
Should we upgrade faad2 to 2.9 even in stable brancher, or try to backport the fixes. -
Should faad2 be moved to community.