Your message dated Sun, 04 Feb 2018 16:09:20 +0000 with message-id <e1eimr2-000e6r...@fasolo.debian.org> and subject line Bug#888654: fixed in mpv 0.28.0-1 has caused the Debian Bug report #888654, regarding mpv: CVE-2018-6360 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 888654: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888654 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: mpv Version: 0.23.0-1 Severity: grave Tags: security upstream Forwarded: https://github.com/mpv-player/mpv/issues/5456 Hi, the following vulnerability was published for mpv. CVE-2018-6360[0]: | mpv through 0.28.0 allows remote attackers to execute arbitrary code | via a crafted web site, because it reads HTML documents containing | VIDEO elements, and accepts arbitrary URLs in a src attribute without a | protocol whitelist in player/lua/ytdl_hook.lua. For example, an | av://lavfi:ladspa=file= URL signifies that the product should call | dlopen on a shared object file located at an arbitrary local pathname. | The issue exists because the product does not consider that youtube-dl | can provide a potentially unsafe URL. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-6360 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360 [1] https://github.com/mpv-player/mpv/issues/5456 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: mpv Source-Version: 0.28.0-1 We believe that the bug you reported is fixed in the latest version of mpv, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 888...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. James Cowgill <jcowg...@debian.org> (supplier of updated mpv package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 04 Feb 2018 12:53:27 +0100 Source: mpv Binary: mpv libmpv1 libmpv-dev Architecture: source Version: 0.28.0-1 Distribution: experimental Urgency: medium Maintainer: Debian Multimedia Maintainers <debian-multime...@lists.debian.org> Changed-By: James Cowgill <jcowg...@debian.org> Description: libmpv-dev - video player based on MPlayer/mplayer2 (client library dev files) libmpv1 - video player based on MPlayer/mplayer2 (client library) mpv - video player based on MPlayer/mplayer2 Closes: 888654 Changes: mpv (0.28.0-1) experimental; urgency=medium . * New upstream release. . * debian/compat: - Use debhelper 11. * debian/control: - Set Maintainer to debian-multimedia@l.d.o. - Switch Vcs URLs to salsa.debian.org. - Drop unused dependency on libavresample-dev. - Add dependencies on libarchive-dev and libvulkan-dev. - Bump ffmpeg dependencies to 3.5. - Set Rules-Requires-Root: no. - Bump standards to 4.1.3. * debian/copyright: - Update for 0.28. - Use secure copyright format URL. * debian/patches: - Drop vaapi patch applied upstream. - Add patch for CVE-2018-6360. (Closes: #888654) - Refresh other patches. Checksums-Sha1: 0ae7ce67a5e8f69f3879eca327d76b892ec243b2 2857 mpv_0.28.0-1.dsc 626e20b8de6144566726e9939dd1ef8aa23f6257 2982165 mpv_0.28.0.orig.tar.gz ea2b0bee443e6144b6e1655a365643e2a2bb8ffa 105560 mpv_0.28.0-1.debian.tar.xz fe84a1cee43e8db994519e142d3e8228df9cb58d 8273 mpv_0.28.0-1_source.buildinfo Checksums-Sha256: 43bc6c7fda6817cce272875f677a2f7480157bf9492a631a5ac19759083a5bd9 2857 mpv_0.28.0-1.dsc eeac559d422357470040b83d8cdabec74b8a64ce8f50d5ee421dd3e4c73457b4 2982165 mpv_0.28.0.orig.tar.gz 6a7a92023bde7cb5a623792d84f1035b78749b7fc9dca50b9093451c1cfaef42 105560 mpv_0.28.0-1.debian.tar.xz 4c7c6e7e687e88d2c95e33eeefe3f21309ad6801f72405e333fe7224015b3a41 8273 mpv_0.28.0-1_source.buildinfo Files: 5cb68c855109dd76e6d2804e6b021dc1 2857 video optional mpv_0.28.0-1.dsc 2ee9b57091fdc80c91a7fca1aae0e396 2982165 video optional mpv_0.28.0.orig.tar.gz 9f922012bc26786221778485eb5a6344 105560 video optional mpv_0.28.0-1.debian.tar.xz a606b201a7134ba28f0dff5f2dbfb284 8273 video optional mpv_0.28.0-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEE+Ixt5DaZ6POztUwQx/FnbeotAe8FAlp3LQEUHGpjb3dnaWxs QGRlYmlhbi5vcmcACgkQx/FnbeotAe+Dog//QP+orY6p7SP/fRAnqs1a1fjOhzKk G03dKZ6LDewSGHr4DuOj0cBocIl37RtNPZUtaZKlcMalT+AhktuCaYx/ECdP8th6 WqjJY0h1NGUiok4mzmcLgLYKYQPiy7RsK7RDG6WcLJKQVgDTc/l1wwbGqvswikm7 c8tkpAzesPY53litCXdP90AgNOiFPyBCSxtCzcmmCEFhzRsLiHaqIdvh7SGyYQ7p mRETrAzzwAPCygZ95fSh8bh5W3nIGcaE0eWlCz7VdoJWPOv7o+kaI/rW39bCKqRI TNVorDZQzlh2PwZMRdYyO3A6TVlv3DIA2Ucj9cmDYUt10fnlHizEOM9bJ9N6DNMU aPIr0c2hV0YCPL4MzUFATNXaV+VMkACqM95nl7gVQE26fPo+KwO6D+n6Zx12URsJ nLXgrjH1YCzyjufMaesOIGlzaEU/S2CzjsChOZq0s0iwDohw17HV38fSvxOJ5Rfr I/IvNQcxRzqyNbxBciVyU/YUibldg9QmTisCCm8Epiq+qodz0z4Utd8wcWtYT2zT BsCb6LwSTFVN0jQ328pqwPx+pgQuqWants97+KAdb1i+fCyl4xQL+w2XS3nOytG7 W+BbHRYymLUn7l3pzGwNi+mZeQSB95Za8vaQSn7Anoa0jcJdFlscgX31ByrEiH+u Mu9bWaqAVMqT6aI= =VW/1 -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
