Last Updated: 2008-06-10 12:45:50 UTC
by Swa Frantzen (Version: 2)
One of those little things your users might manage to get installed for themselves is VLC.
Well they too have a new release that passed by all too quietly in the last few days. Barry reminded us about it.
So VLC Media Player 0.8.6h is the one you want to upgrade to, it fixes "security vulnerabilities in the Mozilla and ActiveX plugins, in the libpng, libid3tag, libvorbis libraries and in the Speex codec."
From their release notes:
- Updated GnuTLS and libgcrypt (CVE-2008-1948, CVE-2008-1949, CVE-2008-1950)
- Updated libxml2 (CVE-2007-6284)
0.8.6g (source release):
- Removed VLC variable settings from Mozilla and ActiveX (CVE-2007-6683, VideoLAN-SA-0804)
- Removed loading plug-ins from the current directory (CVE-2008-2147, VideoLAN-SA-0805)
- Updated libpng (CVE-2008-1382)
- Fixed libid3tag denial of service (CVE-2008-2109)
- Fixed libvorbis vulnerabilities (CVE-2008-1419, CVE-2008-1420, CVE-2008-1423)
- Fixed speex insufficient boundary check (CVE-2008-1686, oCERT-2008-004)
Make sure to be warned by the smallest vendor/software maker of who you use software or soon or later you'll miss one getting its patch before you discover it's been exploited.
Swa Frantzen -- Gorilla Secuity