Package: mpv Version: 0.23.0-1 Severity: grave Tags: security upstream Yet another bug relating to the fix for CVE-2018-6360...
This time the bug is not a regression, but a mistake upstream made when writing the original patch. Upstream overlooked the handling of subtitle URLs which were not protected. Upstream has released 0.27.2 and 0.28.2 to fix these. I think the bug affects 0.23 as well (but I have not yet checked). Possibly this warrants a new CVE number. Upstream commit: https://github.com/mpv-player/mpv/commit/3e71eb8676de53a05f51b987d294e7d2fa0a5bc1 James
signature.asc
Description: OpenPGP digital signature