Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.1528 vlc security update 18 May 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: VLC Publisher: Debian Operating System: Debian GNU/Linux 9 UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2017-17670 Original Bulletin: http://www.debian.org/security/2018/dsa-4203 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running VLC check for an updated version of the software for their operating system. Debian notes that VLC in Debian 8 is end-of-life and will not receive this fix. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4203-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 17, 2018 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : vlc CVE ID : CVE-2017-17670 Hans Jerry Illikainen discovered a type conversion vulnerability in the MP4 demuxer of the VLC media player, which could result in the execution of arbitrary code if a malformed media file is played. This update upgrades VLC in stretch to the new 3.x release series (as security fixes couldn't be sensibly backported to the 2.x series). In addition two packages needed to be rebuild to ensure compatibility with VLC 3; phonon-backend-vlc (0.9.0-2+deb9u1) and goldencheetah (4.0.0~DEV1607-2+deb9u1). VLC in jessie cannot be migrated to version 3 due to incompatible library changes with reverse dependencies and is thus now declared end-of-life for jessie. We recommend to upgrade to stretch or pick a different media player if that's not an option. For the stable distribution (stretch), this problem has been fixed in version 3.0.2-0+deb9u1. We recommend that you upgrade your vlc packages. For the detailed security status of vlc please refer to its security tracker page at: https://security-tracker.debian.org/tracker/vlc Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlr9nlUACgkQEMKTtsN8 Tjb5rw/+OncZS6nB0uDqmA0RcZugqvskqQReQbBqImwSSEzn2u9JY6wgi/Rmiuvr N+wsrXTw9ws2yewMah9Yy+K0+Ucq0+Hl+pPtjaSFhC8RKaYXZaS3GsdxutWuLxgz WtRPIU3o4+PP8fssR9P7uHRYESmT2+sccIB55vBj9TvLzZhgQJz4sniowbJ7en96 lVTBFpBesXXmijbLcabLSOzGDQ5qVcN5P4f+Alng+D5b1buIw75Efw70S9HCYX8H YexCfzOxEqcBxV3UNaUWPSXD/OCXt8cGxLzuQa03YhgDJLlasuXYJifPq8bffBkB UhE9yhDs9eZFyUMgZZ7dQVl6fO1/qKYBW4nTNAc2MTyPL+8olO2fSdA4nG4hDR8i HJC8E+vyWrbzYIivDEuDQats6e24R1wXrCdo1TG11R6iY7t1Mqg7paufK2oOOWbr XRF6rkpWhlfo3EJoU2dqxs90/LHnPaAM89GPkNBftmDrBKYKw3QhiULp2t6Ob9rk FTkycbZrGFKDTeacLfCZ6JnqrKHQC8F0M5JvV19ff1NU6SvpRWHxPQC3C/22u1L0 rjWPE0nLimyQ2QnHn8/hNp6sK0iEAGrl+XLPrw+dewsObq+UCDgHuyHJfYJnX2hx IGvl7VddHx5kBD78rL1ODMVmWIRHavt193u7/jfUKT+2PxOUwnY= =a0n7 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWv4feox+lLeg9Ub1AQim+xAAnP4Sy4Yo51t8P+JN9+6Y2/6dGtYLcAbq jXoh5d3BZyR3a8hpmdKRRcFotz5k3/5FBg5PR7/00+CZJNPWnFb+5JuQWd8mnUhz pS5aSxrhVTt8U8e9frDEu5ScvStmqqXgdVJH9/eMA04LXfJi05D+jc8x5ztYfkRk rqItPlgGVBvzeCIgB32uXmcK8V8rxh6dmVK1vw94Pr9JLP99m/BII2QSjG+hiOsf wRyadvQJ8Ym2BddsYQGzjDxJjzHyqYQ06Pl9UODr7UUOSQGtMxXUSfTBbbRisnqH AKjVMFi8vnJ0gRiOR3OWH1/TDoumN9KpE6F5KUcOhucx/0WOwenmBgDFkk9tfKTN WOhfDii7ExTTXMrMz9g+5wGkivj7Cne6iD9KTv3xARfgF8lIXEW9oyEkIb8aSMgw PtMTxPe0t6P0J7B1FgXLUvKrWh/uYxHn7icx1oav7uANzfVyax2iE9kU/TXYVNzW suzaUP2PqWgXop+rJb2A5CU1Z9FwIb/odRh5V8L4PsGmHto3eJlGOYbR54xHwi19 4plLcBlEl75y8HgCphw7BAcHvasobc1BOBKsrgD+mOfVGG0hTdWf4JS1oyrfbFfc 5zDzBnxAjjt7x/IKng7mQtXPAoFIh7oeAkDg+Ynk5eUpq2mfXehRbdpcbVXa7R6f mRBi513CxCc= =VGyS -----END PGP SIGNATURE-----