VLC 3.0.3 is out: https://www.videolan.org/developers/vlc-branch/NEWS It looks like it's just a bug fix release primarily. It does say this: * Numerous 3rd party libraries updated, fixing security issues but we probably don't build those libraries bundled. It'd be nice to get some details on that to make sure we aren't missing needed updates for our system libraries.
Whiteboard: (none) => MGA6TOO
Assigning to the registered maintainer.
Assignee: bugsquad => shlomifCC: (none) => marja11
Already updated in mga7/cauldron.
Version: Cauldron => 6Whiteboard: MGA6TOO => (none)
Update built for mga6 too, but incorrectly built with a subrel (of 0, no less), which makes its release tag higher than in mga7. New versions should always be release tag 1 with no subrel.
(In reply to David Walser from comment #3) > Update built for mga6 too, but incorrectly built with a subrel (of 0, no > less), which makes its release tag higher than in mga7. New versions should > always be release tag 1 with no subrel. Hi David! This comment of yours brought me into a nervous breakdown. Why can't I get the subrel/rel thing right for once? This is so confuzzling and confusing and errorprone. I hate it!!!
Why isn't this bug reassigned to QA?
Because it needs to be removed from updates_testing and rebuilt without a subrel.
Shlomi, could you please resubmit VLC without the subrel, please?
He can't. The sysadmins need to remove the bad build first. I have asked on their IRC channel for a month and they have ignored me.
Debian has issued an advisory on July 18: https://www.debian.org/security/2018/dsa-4251 It fixes CVE-2018-11529 in the MP4 demuxer. I wonder if this is one of the many MP4 issues that have been posted about on oss-security lately: http://openwall.com/lists/oss-security/ Anyway, if we add the patch for this and any other MP4-related needed patches, we can get this update finally unstuck. Just change the subrel to 1 for the update.
Summary: VLC 3.0.3 => VLC 3.0.3, plus security issue(s) in MP4 demuxerComponent: RPM Packages => SecurityQA Contact: (none) => security
VLC 3.0.4 is now out, so we should update to that (no subrel this time).
Summary: VLC 3.0.3, plus security issue(s) in MP4 demuxer => VLC 3.0.4, including security issue(s) in MP4 demuxer
I am pushing 3.0.4
CC: (none) => lists.jjorge
Assignee: shlomif => qa-bugs
RPMS : (core and tainted) vlc-3.0.4-1.mga6.tainted.x86_64.rpm lib64vlc5-3.0.4-1.mga6.tainted.x86_64.rpm lib64vlccore9-3.0.4-1.mga6.tainted.x86_64.rpm lib64vlc-devel-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-common-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-zvbi-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-kate-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-libass-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-lua-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-ncurses-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-lirc-3.0.4-1.mga6.tainted.x86_64.rpm svlc-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-aa-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-sdl-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-shout-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-opengl-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-vdpau-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-projectm-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-theora-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-twolame-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-fluidsynth-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-gme-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-schroedinger-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-speex-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-flac-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-dv-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-mod-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-mpc-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-sid-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-pulse-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-jack-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-upnp-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-gnutls-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-libnotify-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-chromaprint-3.0.4-1.mga6.tainted.x86_64.rpm
Status: NEW => ASSIGNED
Core version of the packages are: vlc-3.0.4-1.mga6 libvlc5-3.0.4-1.mga6 libvlccore9-3.0.4-1.mga6 libvlc-devel-3.0.4-1.mga6 vlc-plugin-common-3.0.4-1.mga6 vlc-plugin-zvbi-3.0.4-1.mga6 vlc-plugin-kate-3.0.4-1.mga6 vlc-plugin-libass-3.0.4-1.mga6 vlc-plugin-lua-3.0.4-1.mga6 vlc-plugin-ncurses-3.0.4-1.mga6 vlc-plugin-lirc-3.0.4-1.mga6 svlc-3.0.4-1.mga6 vlc-plugin-aa-3.0.4-1.mga6 vlc-plugin-sdl-3.0.4-1.mga6 vlc-plugin-shout-3.0.4-1.mga6 vlc-plugin-opengl-3.0.4-1.mga6 vlc-plugin-vdpau-3.0.4-1.mga6 vlc-plugin-projectm-3.0.4-1.mga6 vlc-plugin-theora-3.0.4-1.mga6 vlc-plugin-twolame-3.0.4-1.mga6 vlc-plugin-fluidsynth-3.0.4-1.mga6 vlc-plugin-gme-3.0.4-1.mga6 vlc-plugin-schroedinger-3.0.4-1.mga6 vlc-plugin-speex-3.0.4-1.mga6 vlc-plugin-flac-3.0.4-1.mga6 vlc-plugin-dv-3.0.4-1.mga6 vlc-plugin-mod-3.0.4-1.mga6 vlc-plugin-mpc-3.0.4-1.mga6 vlc-plugin-sid-3.0.4-1.mga6 vlc-plugin-pulse-3.0.4-1.mga6 vlc-plugin-jack-3.0.4-1.mga6 vlc-plugin-upnp-3.0.4-1.mga6 vlc-plugin-gnutls-3.0.4-1.mga6 vlc-plugin-libnotify-3.0.4-1.mga6 vlc-plugin-chromaprint-3.0.4-1.mga6 from vlc-3.0.4-1.mga6.src.rpm
Mageia 6, x86_64 vlc tainted already installed so went with that and updated 35 packages. Not familiar with the support provided by all of the plugins so testing is a bit random. svlc in use at every launch. DestroyVLC.vlt theme is working fine. Command-line operation mostly. No problems with audio or video. 'vlc file' and 'vlc playlist' work, and all the various controls. Files can also be located via the internal file manager. File formats tested: mp3, flac, ogg, wav, mp4/m4v/mkv + srt, mpg, m2t, mov, webm/wmv, swf and m3u for playlists. Also tried $ vlc channels.xspf to display free-to-air television. The xspf file translates into a playlist. SD and HD channels work very well. Looking good so far. Trying the core version later.
CC: (none) => tarazed25
On real 32-bit hardware, Dell Inspiron 5100, P4, 2GB RAM, radeon 7500 graphics (running under VESA driver), old Atheros wifi, 32-bit Plasma system. Running the tainted packages. I always update to the tainted packages of vlc when I make a new Mageia install, as in the past I have been unable to play certain videos unless I did. All packages updated cleanly. I too don't know much about the other functions of vlc, as all I do with it is play videos and/or DVDs. I tried playing four different videos, and all played normally. No regressions noted. I could not test the DVD function on this hardware, as the DVD drive is non-functional. As far as I can see, it looks good on this hardware.
CC: (none) => andrewsfarm
Created a 64-bit Plasma system in VirtualBox, using the 6.1 LiveDVD iso. This system is to contain no tainted packages, and no packages were installed other than those from the 6.1 iso. After getting updates, played both mp4 and mkv videos from a shared folder using vlc. Each played, though the action was a bit "choppy," consistent with playing videos on virtual machines on this host hardware. Updated the vlc packages, and all packages installed cleanly. Played the videos again, and there was no change in the way they played. Non-tainted version seems OK in VirtualBox. Giving it OKs and verifying.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA6-32-OK MGA6-64-OKCC: (none) => sysadmin-bugs
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0400.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED