1 |
type: security |
2 |
subject: Updated live, ffmpeg, mplayer, and vlc packages fix security vulnerabilities |
3 |
CVE: |
4 |
- CVE-2018-4013 |
5 |
- CVE-2018-15822 |
6 |
src: |
7 |
6: |
8 |
core: |
9 |
- live-2018.11.26-1.mga6 |
10 |
- ffmpeg-3.3.9-1.mga6 |
11 |
- mplayer-1.3.0-13.mga6 |
12 |
- vlc-3.0.5-2.mga6 |
13 |
tainted: |
14 |
- ffmpeg-3.3.9-1.mga6.tainted |
15 |
- mplayer-1.3.0-13.mga6.tainted |
16 |
- vlc-3.0.5-2.mga6.tainted |
17 |
description: | |
18 |
A bug in the server implementation of RTSP-over-HTTP in live could allow |
19 |
a denial-of-service attack. |
20 |
|
21 |
A bug in the server implementation of RTSP-over-HTTP could allow a |
22 |
buffer overflow, which could result in the execution of arbitrary code |
23 |
when parsing a malformed RTSP stream (CVE-2018-4013). |
24 |
|
25 |
The flv_write_packet function in libavformat/flvenc.c in FFmpeg through |
26 |
3.3.8 does not check for an empty audio packet, leading to an assertion |
27 |
failure (CVE-2018-15822). |
28 |
|
29 |
The live package has been updated to version 2018.11.26, the ffmpeg |
30 |
package has been updated to version 3.3.9, and the vlc package has been |
31 |
updated to version 3.0.5, fixing these issues and other bugs. |
32 |
|
33 |
The mplayer package has been rebuilt against the update live package to |
34 |
fix the RTSP-over-HTTP issues in mplayer. |
35 |
references: |
36 |
- https://bugs.mageia.org/show_bug.cgi?id=24071 |
37 |
- http://live555.com/liveMedia/public/changelog.txt |
38 |
- https://www.videolan.org/developers/vlc-branch/NEWS |
39 |
- https://www.debian.org/security/2018/dsa-4343 |
40 |
ID: MGASA-2019-0029 |