VLC 2.1.6 and 2.2.0 have been released. The NEWS for 2.1.6 says: Changes between 2.1.5 and 2.1.6: -------------------------------- Audio output: * Fix OSS stuttering Security: * Fix heap overflow in decomp stream filter * Fix buffer overflow in updater * Fix potential buffer overflow in schroedinger encoder * Fix null-pointer dereference in DMO decoder * Fix buffer overflow in parsing of string boxes in mp4 demuxer * Fix SRTP integer overflow * Fix potential crash in zip access * Fix read overflow in Ogg demuxer Win32 installer: * Update translations and greek encoding I think we fixed most of those security issues in Bug 15195, but it doesn't look like the decomp stream filter, zip access, or Ogg demuxer fixes are there. The SRTP thing might be different from the rtp streaming invalid memory access too, so we might also be missing that. We should update Mageia 4 to 2.1.6. We should update Mageia 5 to 2.2.0 final. You can see the changes since our February 13th's snapshot in git here: http://git.videolan.org/?p=vlc/vlc-2.2.git;a=summary Not sure if we'll be able to get that in now or if we'll have to do it post-release. Reproducible: Steps to Reproduce:
CC: (none) => cjw, shlomif
Whiteboard: (none) => MGA4TOO
I'm working on the VLC-2.1.6 upgrade for Mageia 4 now.
I think that the packaging of plugins.dat should be fixed for mga4 in the same way that it was fixed in mga5 for bug 15311 (ghost plugins.dat + rpm file trigger to update it at install time). https://trac.videolan.org/vlc/ticket/9807
(In reply to Luc Menut from comment #2) > I think that the packaging of plugins.dat should be fixed for mga4 in the > same way that it was fixed in mga5 for bug 15311 (ghost plugins.dat + rpm > file trigger to update it at install time). > https://trac.videolan.org/vlc/ticket/9807 That might be nice. However, it's not that big of an issue on Mageia 4 since we aren't really using Qt5 things with it. It became a critical problem on the way to Mageia 5.
OK VLC-2.1.6 was successfully submitted to "core/updates_testing" and "tainted/updates_testing" here: http://pkgsubmit.mageia.org/ . Do I need to prepare an advisory?
Just a note for later, if the 2.2.0 update has to go through QA, besides testing VLC itself, they could test phonon-vlc, miam-player, and tano, just to make sure there wasn't any ABI breakage in libvlccore.
(In reply to Shlomi Fish from comment #4) > OK VLC-2.1.6 was successfully submitted to "core/updates_testing" and > "tainted/updates_testing" here: http://pkgsubmit.mageia.org/ . Do I need to > prepare an advisory? Yes. Since 2.2.0 and 2.1.6 need to be handed separately, you can clone this bug (see the link at the bottom right), make the new bug just for the 2.1.6 update, post the advisory and package list, and assign to QA. Thanks.
Blocks: (none) => 15384
Blocks: 15384 => (none)
Summary: VLC 2.1.6 and 2.2.0 => VLC 2.2.0 update for Mageia 5Whiteboard: MGA4TOO => MGA5TOO
vlc-2.2.0-1.mga5 uploaded for Cauldron. Thanks Christiaan!
Status: NEW => RESOLVEDResolution: (none) => FIXEDWhiteboard: MGA5TOO => (none)