From: Brad Smith <brad@comstyle.com>
Subject: Re: UPDATE: libvpx 1.15.2
To: Landry Breuil <landry@openbsd.org>
Cc: ports@openbsd.org
Date: Mon, 7 Jul 2025 23:40:39 -0400

On 2025-07-05 7:19 a.m., Landry Breuil wrote:
> Le Sat, Jul 05, 2025 at 04:00:47AM -0400, Brad Smith a écrit :
>> Here is an update to libvpx 1.15.2.
>>
>> CVE-2025-5283
>>
>> Tested on aarch64.
> was it tested on BTI ? with what consumers ? i'll try to put it on the
> omnibook w/firefox.
>
> does the cve warrant a backport to 7.7 which has 1.15.0 ?
> and if so, why the major bump, removed syms ?

I don't have such a system. But the only change between .0 and .2 is the 
security fix. 
https://chromium.googlesource.com/webm/libvpx/+/865eaf63a727966d19185b79836480dfc844749b%5E%21/ 


It sounds like it probably should be.

The bump comes because there is an internal version check and if you do 
not bump the major it'll fail. You can't build with one version and run 
with another even if the ABI has not changed. [libvpx-vp9 @ 
0x16ca7e3400] Failed to initialize encoder: ABI version mismatch