VLC player has critical security flaw - July 23, 2019

ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > General Software Discussion

VLC player has critical security flaw - July 23, 2019 - UPDATED

<< < (2/2)

IainB:
I never did trust Bach anyway.
-IainB (Today at 05:40:09)

yet he will be Bach
-Curt (July 24, 2019, 06:09 AM)
--- End quote ---
Har-de-har-har.
I just put that joke in as a placeholder whilst I wrote a (hopefully) useful response (done now, see above).

What is the question, the answer to which is "9W"?
SpoilerIs that spelt with a "V" herr Vagner?

mouser:
UPDATE:

https://www.ghacks.net/2019/07/24/confusion-critical-vlc-media-player-vulnerability/
"Update: VideoLAN confirmed that the issue was not a security issue in VLC Media Player. The engineers detected that the issue was caused by an older version of the third-party library called libebml that was included in older versions of Ubuntu. The researcher used that older version of Ubuntu apparently. End"

From VLC: "End of story: VLC is not vulnerable, whether this is 3.0.7.1 or even 3.0.4. The issue is in a 3rd party library, and it was fixed in VLC binaries version 3.0.3, out more than one year ago…"

Deozaan:
Update: VideoLAN confirmed that the issue was not a security issue in VLC Media Player. The engineers detected that the issue was caused by an older version of the third-party library called libebml that was included in older versions of Ubuntu. The researcher used that older version of Ubuntu apparently. End-https://www.ghacks.net/2019/07/24/confusion-critical-vlc-media-player-vulnerability/
--- End quote ---

Wut? :huh:

The TechRadar article says:

The issue has been detected in the Windows, Linux and UNIX versions of VLC, however the macOS version appears to be unaffected.

VideoLAN, the not-for-profit organisation beind VLC Media Player, says it has been working on a patch for the flaw for the last four weeks, and is 60 percent through.-https://www.techradar.com/news/vlc-player-has-critical-security-flaw
--- End quote ---

Where did they get the information that the exploit exists on multiple OSes and that VideoLAN was only 60% finished with a patch for the flaw when VideoLAN says it was fixed over a year ago and only vulnerable on an old* version of Ubuntu which uses an old 3rd party library?

* To be fair to the researcher, the "old" version of Ubuntu is supposedly Ubuntu 18.04, which is the most recent LTS version of Ubuntu.

Navigation

[0] Message Index

[*] Previous page

Go to full version