Ubuntu
vlc package

[needs-packaging] vlc 2.1.5 is released, software upgrade is needed

Bug #1350356 reported by Alif M. Ahmad
This bug report is a duplicate of:  Bug #1419176: [SRU MRE] Update to 2.1.6 in Trusty. Edit Remove
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gnutls28 (Ubuntu)
New
Wishlist
Unassigned
libpng (Ubuntu)
Invalid
Undecided
Unassigned
vlc (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

vlc 2.1.5 has been released.

Changes between 2.1.4 and 2.1.5:
--------------------------------

Core:
 * Fix compilation on OS/2

Access:
 * Stability improvements for the QTSound capture module

Mac OS X audio output:
 * Fix channel ordering
 * Increase the buffersize

Decoders:
 * Fix DxVA2 decoding of samples needing more surfaces
 * Improve MAD resistance to broken mp3 streams
 * Fix PGS alignment in MKV

Qt Interface:
 * Don't rename mp3 converted files to .raw

Mac OS X Interface:
 * Correctly support video-on-top
 * Fix video output event propagation on Macs with retina displays
 * Stability improvements when using future VLC releases side by side

Streaming:
 * Fix transcode when audio format changes

Security contents:
 * Updated GnuTLS to 3.1.25 (CVE-2014-3466)
 * Updated libpng to 1.6.10 (CVE-2014-0333)

Translations:
 * Update British English

Revision history for this message
Seth Arnold (seth-arnold) wrote :

The referenced CVEs were in libpng and in gnutls;

http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-0333.html
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3466.html

gnutls already had an update: http://www.ubuntu.com/usn/usn-2229-1/ and the version of libpng we ship didn't include affected code.

Thanks

information type: Private Security → Public
Changed in libpng (Ubuntu):
status: New → Fix Released
Changed in vlc (Ubuntu):
status: New → Invalid
Changed in libpng (Ubuntu):
status: Fix Released → Invalid
Revision history for this message
Owain Kenway (o-kenway) wrote :

Hi,

The vulnerability CVE 2014-3466 in GNUTLS has *not* been fixed in Trusty (at time of writing the current stable release). It's been fixed in libgnutls26, but not in libgnutls28 (which is what VLC actually uses) - see:

https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1326779

Cheers,
Dr Owain Kenway

Revision history for this message
Brian Murray (brian-murray) wrote :

*** This is an automated message ***

This bug is tagged needs-packaging which identifies it as a request for a new package in Ubuntu. As a part of the managing needs-packaging bug reports specification, https://wiki.ubuntu.com/QATeam/Specs/NeedsPackagingBugs, all needs-packaging bug reports have Wishlist importance. Subsequently, I'm setting this bug's status to Wishlist.

summary: - vlc 2.1.5 is released, software upgrade is needed
+ [needs-packaging] vlc 2.1.5 is released, software upgrade is needed
Changed in gnutls28 (Ubuntu):
importance: Undecided → Wishlist
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.