Hello. I wasn't aware of those vulnerabilities in mongoose. It's possible to disable the support for chromecast in smplayer commenting the line DEFINES += CHROMECAST_SUPPORT in src/smplayer.pro
2018-06-03 18:41 GMT+02:00 Reinhard Tartler <siret...@gmail.com>: > Hi Richardo, > > I'm not sure if you have seen this email, Moritz from the debian > security team is reporting a release-critical bug in smplayer. More > specifically, smplayer appears to be using the mongoose webserver > implementation as in implementation detail of the chromecast > component. > > Having to remove smplayer would be most unfortunate. I checked the > upstream commits at > https://github.com/cesanta/mongoose/commits/master, but apparently > there is no fix available yet. Maybe I'm missing something but if not, > my question to you is whether we can easily disable the chromecast > component from the smplayer build? > > Please let me know your thoughts on this. > > Best, > Reinhard > > ---------- Forwarded message --------- > From: Moritz Muehlenhoff <j...@debian.org> > Date: Thu, May 17, 2018 at 12:51 PM > Subject: Bug#898943: Multiple vulnerabiliities in Mongoose > To: Debian Bug Tracking System <sub...@bugs.debian.org> > > > Source: smplayer > Severity: grave > Tags: security > > smplayer seems to embed Cesenta Mongoose: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2891 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2892 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2893 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2894 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2895 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2909 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2921 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2922 > > Cheers, > Moritz > > _______________________________________________ > pkg-multimedia-maintainers mailing list > pkg-multimedia-maintain...@alioth-lists.debian.net > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers > > > -- > regards, > Reinhard -- RVM
