Summary
The current PyPI wheels for PyAV v17.0.1 bundle ffmpeg 8.0.1, which contains several security vulnerabilities including a Critical severity CVE. The main branch already defaults to ffmpeg 8.1.1 (per scripts/activate.sh), but this hasn't been released to PyPI yet.
Security Vulnerabilities in ffmpeg 8.0.1
Impact
Organizations using hardened container images for security compliance cannot deploy PyAV v17.0.1 due to the Critical CVE. Grype and other vulnerability scanners flag this in security audits.
Request
Could you please publish a new release (v17.0.2 or v17.1.0) with wheels built against ffmpeg 8.1.1? I see the work has already been done in PRs #2253 and #2255.
Workaround
Currently the only workaround is building PyAV from source with ffmpeg 8.1.1, which adds significant complexity to container builds.
Thank you for maintaining this excellent library!
Summary
The current PyPI wheels for PyAV v17.0.1 bundle ffmpeg 8.0.1, which contains several security vulnerabilities including a Critical severity CVE. The
mainbranch already defaults to ffmpeg 8.1.1 (perscripts/activate.sh), but this hasn't been released to PyPI yet.Security Vulnerabilities in ffmpeg 8.0.1
Impact
Organizations using hardened container images for security compliance cannot deploy PyAV v17.0.1 due to the Critical CVE. Grype and other vulnerability scanners flag this in security audits.
Request
Could you please publish a new release (v17.0.2 or v17.1.0) with wheels built against ffmpeg 8.1.1? I see the work has already been done in PRs #2253 and #2255.
Workaround
Currently the only workaround is building PyAV from source with ffmpeg 8.1.1, which adds significant complexity to container builds.
Thank you for maintaining this excellent library!