| Summary: | libebml new security issue CVE-2019-13615 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Marc Krämer <mageia> |
| Component: | Security | Assignee: | Shlomi Fish <shlomif> |
| Status: | RESOLVED OLD | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | linux, luigiwalser, mhrambo3501 |
| Version: | 6 | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | libebml-1.3.4-1.mga6.src.rpm | CVE: | |
| Status comment: | Fixed upstream in 1.3.6 | ||
|
Description
Marc Krämer
2019-07-20 00:54:44 CEST
Marc Krämer
2019-07-20 00:54:55 CEST
Whiteboard:
(none) =>
MGA6TOO
Jani Välimaa
2019-07-20 15:22:18 CEST
QA Contact:
(none) =>
security
David Walser
2019-07-20 15:55:13 CEST
Assignee:
bugsquad =>
shlomif Looks like invalid report in VLC Bugtracker. Please recheck. CC:
(none) =>
linux if we have a newer libebml in mga6 and mga7 which we link to, I agree. Unfortunately they don't say which version is vulunerable. Sorry, for the noise, it was announced in the local it press not to use vlc. From https://trac.videolan.org/vlc/ticket/22474#comment:21 "Issue is too old libebml in Ubuntu 18.04: libebml 1.3.6 fixes this issue. End of story: VLC is not vulnerable, whether this is 3.0.7.1 or even 3.0.4. The issue is in a 3rd party library, and it was fixed in VLC binaries version 3.0.3, out more than one year ago... " In Mageia 7 we have 1.3.7, but in Mageia 6 we have 1.3.4, not sure if that version is vulnerable.
David Walser
2019-07-25 03:30:44 CEST
Whiteboard:
MGA6TOO =>
(none) Ubuntu has issued an advisory for this on July 25: https://usn.ubuntu.com/4073-1/ Status comment:
(none) =>
Fixed upstream in 1.3.6 Mageia 6 is EOL. CC:
(none) =>
mrambo |