*** This bug is a security vulnerability ***
Public security bug reported:
Binary package hint: vlc
A few days ago, vlc 0.8.6e has been released. The developpers "strongly
recommend all users to update to this new version" since it fixes
security vulnerabilities. Please update vlc to vlc 0.8.6e in all Ubuntu
versions that are still supported.
Here is the annoucement :
VLC media player 0.8.6e, VideoLAN Security 0801 and 0802 (2008-02-27)
This is a bugfix release. VLC media player 0.8.6d and earlier versions suffer
from security vulnerabilities in the Web interface, Subtitle demuxer, Real RTSP
demuxer, SDL_image library and MP4 demuxer.
Technical details are available in our advisories: SA-0801 and SA-0802.
The usual collection of assorted changes and improvements can be found here.
This release fully supports Mac OS X 10.3.9 once again.
We strongly recommend all users to update to this new version.
and the release notes :
Changes between 0.8.6d and 0.8.6e:
----------------------------------
Various bugfixes:
* Resume playback for viewing content over FTP
* Fixed XShm detection with remote X11
Security updates:
* Subtitle demuxers overflow (CVE-2007-6681)
* HTTP listener format string injection (CVE-2007-6682)
* Fixed buffer overflow in the SDL_image library (CVE-2006-4484)
* Real RTSP overflows (CVE-2008-0225, CVE-2008-0295, CVE-2008-0296,
VideoLAN-SA-0801)
* Arbitrary memory overwrite in the MP4 demuxer (CORE-2008-0130,
VideoLAN-SA-0802)
Audio filter:
* Fixed DTS to S/PDIF converter
Audio output:
* Fixed 5.1 audio on ALSA
Access:
* Fixed some RTSP hanging and user/password passing through RTSP URLs
Stream output:
* Fixed waiting for SPS/PPS problem in H.264 packetizer
Encoders:
* Improved compatibility for creating H.264 video files playable on iPhones
* Improved detection of optimal amount of threads for multi-threaded H.264
encoding on multi-cpu systems
- Note that this is used when transcode threads is set to 0 (default)
- Not supported on Windows (multiple threads require manual configuration)
Mac OS X Interface & Port:
* Restored compatibility with Mac OS X 10.3.9
* Corrected behavior of the Preferences panel
* VLC no longer crashes on quit while playing
Localization:
* Updated Romanian and Polish translations
** Affects: vlc (Ubuntu)
Importance: Undecided
Status: New
** Visibility changed to: Public
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2007-6681
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2007-6682
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2006-4484
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-0225
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-0295
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-0296
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-0130
--
[Security] Please update vlc to vlc 0.8.6e
https://bugs.launchpad.net/bugs/196452
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
