CentOS

CVE-2023-44446 raised against gstreamer was fixed by RHEL on 17th Jan 2024. The fix is not available in the mirror repo's.

It's in progress.

Is there a timeline for when this patch will be available?

There was a build problem that took some time to work out but I see that it built earlier today. I am not sure if it will be published separately or as part of the batch of updates that are pending - I'd suspect the latter. This is what else is pending

389-ds-base-1.3.11.1-4.el7_9.src.rpm
kernel-3.10.0-1160.108.1.el7.src.rpm
java-1.8.0-openjdk-1.8.0.402.b06-1.el7_9.src.rpm
java-11-openjdk-11.0.22.0.7-1.el7_9.src.rpm
LibRaw-0.19.4-2.el7_9.src.rpm
gstreamer-plugins-bad-free-0.10.23-24.el7_9.src.rpm
net-snmp-5.7.2-49.el7_9.4.src.rpm
python-pillow-2.0.0-24.gitd1c6db8.el7_9.src.rpm
sssd-1.16.5-10.el7_9.16.src.rpm
xorg-x11-server-1.20.4-27.el7_9.src.rpm

Is there a way to get that Gstreamer plug in build published (get priority) and where the link will be available for download?

You can search through https://buildlogs.centos.org/ if you like but I did just have a look in all the obvious looking places there and came up blank.

Oh, and be aware that if you do find it there then it will not be GPG signed as that only happens as the fix is released.

Trevor,

I want to keep tabs on this. What are the obvious places so I can get this taken care of for my systems myself?

I'm told that the entire list of x86_64 updates has just been pushed to the mirror network so should replicate round the world soon. Running `yum clean all` before an update might help to see those updates sooner as the default expiry time for metadata is 6 hours.

Thanks for the update. I am able to find the updated package now.

These updates are now published so are available via yum update

You do not need to download them from buildlogs and as far as I can see they are no longer published to buldlogs during the build process so there is no way to get them before they are released.