Please backport vlc to 0.9.8a in Intrepid (important security update)

Bug #307239 reported by Bartosz Kosiorek
278
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Hardy Backports
Invalid
Undecided
Unassigned
Intrepid Ibex Backports
Invalid
Undecided
Unassigned
Karmic Backports
Invalid
Undecided
Unassigned
vlc (Ubuntu)
Fix Released
Undecided
Unassigned
Hardy
Won't Fix
Undecided
Unassigned
Intrepid
Invalid
Undecided
Unassigned
Jaunty
Fix Released
Undecided
Unassigned

Bug Description

Please backport vlc to 0.9.8a in Intrepid.
This is very important security upgrade.

vlc (0.9.8a-1ubuntu1) jaunty; urgency=low

  * merge from debian. LP: #300328, #305100, #289263
  * Fixes CVE-2008-5276
  * remaining changes
    - build against libxul-dev instead of iceape-dev
    - build against libdca-dev, libass-dev and libx264-dev
    - build against and install libx264 plugin
    - adjust Vcs-Bzr Headers in debian/control
    - add Xb-Npp header to vlc package
    - debian/patches/301_DVD_media.diff: Change %U to %f
       in VLC .desktop file, cf LP #275043

https://launchpad.net/ubuntu/jaunty/+source/vlc/0.9.8a-1ubuntu1
http://www.videolan.org/security/

description: updated
Revision history for this message
John Dong (jdong) wrote :

Right now we are considering doing this in intrepid-security directly; if that does not work out we will continue in the Backports route.

Revision history for this message
Matti Lindell (mlind) wrote :

I backported vlc from Jaunty for personal use and uploaded it to my PPA.

The following changes were necessary for intrepid:
  * debian/control:
    - Build against versioned (fixed) libass.
    - Build against libxxf86dga-dev and libxxf86vm-dev to fix FTBFS.
  * debian/patches/402_enable_embedded_video.diff:
    - Enable embedded video with Qt >= 4.3.

Revision history for this message
Bartosz Kosiorek (gang65) wrote :

The Vlc 0.9.8a is already packaged at Jaunty.
Please backport it, and set Priority to High due to security issues.

Revision history for this message
Scott Kitterman (kitterman) wrote :

Security fixes are handled through the security update process, not through backports.

Changed in hardy-backports:
status: New → Invalid
Changed in intrepid-backports:
status: New → Invalid
Revision history for this message
Kees Cook (kees) wrote :

Fixed in Jaunty.

Changed in vlc (Ubuntu):
status: New → Confirmed
status: Confirmed → Fix Released
Changed in vlc (Ubuntu Intrepid):
status: New → Confirmed
Changed in vlc (Ubuntu Hardy):
status: New → Confirmed
Revision history for this message
Nicola Ferralis (feranick) wrote :

VLC 0.9.9.a available in jaunty. Changelog:

Decoders:
 * Experimental new decoder for Real Video 3.0 & 4.0

Demuxers:
 * Various fixes related to real demuxer

New Localizations:
 * Indonesian
 * Bengali
 * Updates of other localizations

Various bugfixes:
 * Support for receiving RTP packets on odd port numbers.
 * Lots of small bugfixes.
 * Correct Fullscreen behaviour on Multi-Screen setups on Windows
 * Telnet fixes on Windows
 * Resampling fixes when transcoding

johngus (johngus6720)
Changed in vlc (Ubuntu):
status: Fix Released → New
Benjamin Drung (bdrung)
Changed in vlc (Ubuntu):
status: New → Fix Released
Revision history for this message
Alex Valavanis (valavanisalex) wrote :

Intrepid Ibex reached end-of-life on 30 April 2010 so I am closing the
report. The bug has been fixed in newer releases of Ubuntu.

Changed in vlc (Ubuntu Intrepid):
status: Confirmed → Invalid
Changed in karmic-backports:
status: New → Invalid
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug and helping to make Ubuntu better. The package referred to in this bug is in universe or multiverse and reported against a release of Ubuntu (hardy) which no longer receives updates outside of the explicitly supported LTS packages. While the bug against hardy is being marked "Won't Fix" for now, if you are interested feel free to post a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures'

Please feel free to report any other bugs you may find.

Changed in vlc (Ubuntu Hardy):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.