VLC player has a critical flaw – and there’s no patch yet
'On the flip side, there are currently no known cases of the vulnerability being exploited in the wild Germany’s national Computer Emergency Response Team (CERT-Bund) has issued a security advisory to alert users of VLC media player of a severe vulnerability affecting this extremely popular open-source software. “A remote, anonymous attacker can exploit the vulnerability in VLC to execute arbitrary code, cause a denial-of-service condition, exfiltrate information, or manipulate files,” said CERT-Bund, which also discovered the security loophole. The memory-corruption flaw is known to reside in the player’s latest release, 3.0.7.1, but may also be present in its earlier versions. It affects the program’s Windows, Linux and UNIX versions and has earned a score of 4 out of 5 on the German agency’s severity scale.' -- source: https://cybersafe.mcttrainingconsultant.com/?p=14585 Cheers, Peter -- Peter Reutemann Dept. of Computer Science University of Waikato, NZ +64 (7) 858-5174 http://www.cms.waikato.ac.nz/~fracpete/ http://www.data-mining.co.nz/
'On the flip side, there are currently no known cases of the vulnerability being exploited in the wild
Germany’s national Computer Emergency Response Team (CERT-Bund) has issued a security advisory to alert users of VLC media player of a severe vulnerability affecting this extremely popular open-source software.
“A remote, anonymous attacker can exploit the vulnerability in VLC to execute arbitrary code, cause a denial-of-service condition, exfiltrate information, or manipulate files,” said CERT-Bund, which also discovered the security loophole.
The memory-corruption flaw is known to reside in the player’s latest release, 3.0.7.1, but may also be present in its earlier versions. It affects the program’s Windows, Linux and UNIX versions and has earned a score of 4 out of 5 on the German agency’s severity scale.'
-- source: https://cybersafe.mcttrainingconsultant.com/?p=14585
Follow up: "VLC Developer Debunks Reports of 'Critical Security Issue' In Open Source Media Player" -- source: https://linux.slashdot.org/story/19/07/24/2124240 Cheers, Peter -- Peter Reutemann Dept. of Computer Science University of Waikato, NZ +64 (7) 858-5174 http://www.cms.waikato.ac.nz/~fracpete/ http://www.data-mining.co.nz/
Notwithstanding here is today's VLC security update: vlc (3.0.7.1-0ubuntu18.04.1) bionic-security; urgency=medium * Updated to 3.0.7.1 to fix multiple security issues. - debian/patches/*: sync patches with 3.0.7.1-3. - CVE-2018-19857 - CVE-2019-5439 - CVE-2019-12874 - CVE-2019-13602 -- Marc Deslauriers <marc.deslauriers(a)ubuntu.com> Wed, 24 Jul 2019 10:40:43 -0400 Cheers John.. On 25/07/19 2:03 PM, Peter Reutemann wrote:
'On the flip side, there are currently no known cases of the vulnerability being exploited in the wild
Germany’s national Computer Emergency Response Team (CERT-Bund) has issued a security advisory to alert users of VLC media player of a severe vulnerability affecting this extremely popular open-source software.
“A remote, anonymous attacker can exploit the vulnerability in VLC to execute arbitrary code, cause a denial-of-service condition, exfiltrate information, or manipulate files,” said CERT-Bund, which also discovered the security loophole.
The memory-corruption flaw is known to reside in the player’s latest release, 3.0.7.1, but may also be present in its earlier versions. It affects the program’s Windows, Linux and UNIX versions and has earned a score of 4 out of 5 on the German agency’s severity scale.'
-- source: https://cybersafe.mcttrainingconsultant.com/?p=14585 Follow up: "VLC Developer Debunks Reports of 'Critical Security Issue' In Open Source Media Player"
-- source: https://linux.slashdot.org/story/19/07/24/2124240
Cheers, Peter
participants (2)
-
john -
Peter Reutemann