Advisories » MGASA-2019-0121

Updated live, mplayer, vlc packages fix security vulnerability

Publication date: 29 Mar 2019
Modification date: 29 Mar 2019
Type: security
Affected Mageia releases : 6
CVE: CVE-2019-7314 , CVE-2019-9215

Description

The updated live, mplayer, vlc packages fix security vulnerabilities:

liblivemedia in Live555 before 2019.02.03 mishandles the termination of an
RTSP stream after RTP/RTCP-over-RTSP has been set up, which could lead to
a Use-After-Free error that causes the RTSP server to crash (Segmentation
fault) or possibly have unspecified other impact. (CVE-2019-7314)

In Live555 before 2019.02.27, malformed headers lead to invalid memory
access in the parseAuthorizationHeader function. (CVE-2019-9215)

Mplayer and VLC has been rebuilt against new live packages.

Also, VLC has been updated to version 3.0.6.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=24527
• https://www.debian.org/security/2019/dsa-4408
• https://www.videolan.org/developers/vlc-branch/NEWS
• http://live555.com/liveMedia/public/changelog.txt
• https://www.cve.org/CVERecord?id=CVE-2019-7314
• https://www.cve.org/CVERecord?id=CVE-2019-9215

SRPMS

6/core

• live-2019.03.06-1.mga6
• mplayer-1.3.0-14.mga6
• vlc-3.0.6-1.mga6

6/tainted

• mplayer-1.3.0-14.mga6.tainted
• vlc-3.0.6-1.mga6.tainted