Package: mpv
Version: 0.23.0-1
Severity: grave
Tags: security upstream

Yet another bug relating to the fix for CVE-2018-6360...

This time the bug is not a regression, but a mistake upstream made when
writing the original patch. Upstream overlooked the handling of subtitle
URLs which were not protected.

Upstream has released 0.27.2 and 0.28.2 to fix these. I think the bug
affects 0.23 as well (but I have not yet checked).

Possibly this warrants a new CVE number.

Upstream commit:


Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to