Several security issues fixed upstream in rtmpdump were announced on December 30: http://openwall.com/lists/oss-security/2015/12/30/1 I have updated it to a git snapshot from 20160101. Advisory: ======================== Updated rtmpdump packages fix security vulnerabilities: The rtmpdump package has been updated to the latest upstream code as of January 1, 2016, fixing several security issues. References: http://openwall.com/lists/oss-security/2015/12/30/1 ======================== Updated packages in core/updates_testing: ======================== rtmpdump-2.4-0.git20160101.1.mga5 librtmp1-2.4-0.git20160101.1.mga5 librtmp-devel-2.4-0.git20160101.1.mga5 from rtmpdump-2.4-0.git20160101.1.mga5.src.rpm Reproducible: Steps to Reproduce:
mga5 i586 vbox Mate Updated rtmpdump and used get_iplayer to run rtmpdump from the command line. [lcl@cursa ~]$ get_iplayer --modes=best --get 50 --force [lcl@cursa ~]$ ps aux | grep rtmpdump lcl 3040 1.7 0.1 2968 2276 pts/1 S+ 22:32 0:00 rtmpdump --port 1935 --protocol 0 --playpath mp4:secure/1500kbps/modav/p03czmzs_b06x7cnb_1451831459522.mp4?auth=daEdxaKdzdibsbkdLbDc7dhaidOa0cqdsaY-bwJUD9-bWG-EnrGFqEoNCnHuxL&aifp=v001&slist=secure/480kbps/modav/p03czmzs_b06x7cnb_1451831463873.mp4;secure/1500kbps/modav/p03czmzs_b06x7cnb_1451831459522.mp4;secure/800kbps/modav/p03czmzs_b06x7cnb_1451831459101.mp4 --host vod-rtmp-uk-live.edgesuite.net --swfUrl http://emp.bbci.co.uk/emp/SMPf/1.11.16/StandardMediaPlayerChromelessFlash.swf --tcUrl rtmp://vod-rtmp-uk-live.edgesuite.net:80/ondemand?_fcs_vhost=vod-rtmp-uk-live.edgesuite.net&undefined&auth=daEdxaKdzdibsbkdLbDc7dhaidOa0cqdsaY-bwJUD9-bWG-EnrGFqEoNCnHuxL&aifp=v001&slist=secure/480kbps/modav/p03czmzs_b06x7cnb_1451831463873.mp4;secure/1500kbps/modav/p03czmzs_b06x7cnb_1451831459522.mp4;secure/800kbps/modav/p03czmzs_b06x7cnb_1451831459101.mp4 --app ondemand?_fcs_vhost=vod-rtmp-uk-live.edgesuite.net&undefined&auth=daEdxaKdzdibsbkdLbDc7dhaidOa0cqdsaY-bwJUD9-bWG-EnrGFqEoNCnHuxL&aifp=v001&slist=secure/480kbps/modav/p03czmzs_b06x7cnb_1451831463873.mp4;secure/1500kbps/modav/p03czmzs_b06x7cnb_1451831459522.mp4;secure/800kbps/modav/p03czmzs_b06x7cnb_1451831459101.mp4 --pageUrl http://www.bbc.co.uk/iplayer/episode/b06x7cv6 --resume -o /home/lcl/America_this_Week_-_03_01_2016_b06x7cv6_default.partial.mp4.flv --timeout 10 This downloaded an MP4 file which played fine in vlc which is a good enough test (?).
CC: (none) => tarazed25
Whiteboard: (none) => MGA5-32-OK
mga5 x86_64 Mate Installed the updates from Core/Updates Testing and ran get_iplayer to download an episode of Silent Witness. That played fine in vlc.
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5_64-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Whiteboard: MGA5-32-OK MGA5_64-OK => MGA5-32-OK MGA5-64-OK
Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0004.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
I have just been informed that this package exists in tainted also. Please push that one as well.
Resolution: FIXED => (none)Status: RESOLVED => REOPENED
Tainted packages pushed.
Status: REOPENED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
This update also fixed CVE-2015-8270 CVE-2015-8271 CVE-2015-8272 from some other upstream commits in December 2015: https://www.ubuntu.com/usn/usn-3283-1/