There is no fix yet, but we should ship it when it is ready https://trac.videolan.org/vlc/ticket/22474 https://nvd.nist.gov/vuln/detail/CVE-2019-13615
Whiteboard: (none) => MGA6TOO
QA Contact: (none) => securityComponent: RPM Packages => Security
Assignee: bugsquad => shlomifSummary: Critical security issue in vlc => vlc new security issue CVE-2019-13615
Looks like invalid report in VLC Bugtracker. Please recheck.
CC: (none) => linux
if we have a newer libebml in mga6 and mga7 which we link to, I agree. Unfortunately they don't say which version is vulunerable. Sorry, for the noise, it was announced in the local it press not to use vlc.
From https://trac.videolan.org/vlc/ticket/22474#comment:21 "Issue is too old libebml in Ubuntu 18.04: libebml 1.3.6 fixes this issue. End of story: VLC is not vulnerable, whether this is 3.0.7.1 or even 3.0.4. The issue is in a 3rd party library, and it was fixed in VLC binaries version 3.0.3, out more than one year ago... " In Mageia 7 we have 1.3.7, but in Mageia 6 we have 1.3.4, not sure if that version is vulnerable.
Whiteboard: MGA6TOO => (none)Summary: vlc new security issue CVE-2019-13615 => libebml new security issue CVE-2019-13615Version: 7 => 6Source RPM: vlc-3.0.7.1-1.mga7.src.rpm => libebml-1.3.4-1.mga6.src.rpm
Ubuntu has issued an advisory for this on July 25: https://usn.ubuntu.com/4073-1/
Status comment: (none) => Fixed upstream in 1.3.6CC: (none) => luigiwalser
Mageia 6 is EOL.
CC: (none) => mramboStatus: NEW => RESOLVEDResolution: (none) => OLD