Hi Richardo, I'm not sure if you have seen this email, Moritz from the debian security team is reporting a release-critical bug in smplayer. More specifically, smplayer appears to be using the mongoose webserver implementation as in implementation detail of the chromecast component.
Having to remove smplayer would be most unfortunate. I checked the upstream commits at https://github.com/cesanta/mongoose/commits/master, but apparently there is no fix available yet. Maybe I'm missing something but if not, my question to you is whether we can easily disable the chromecast component from the smplayer build? Please let me know your thoughts on this. Best, Reinhard ---------- Forwarded message --------- From: Moritz Muehlenhoff <j...@debian.org> Date: Thu, May 17, 2018 at 12:51 PM Subject: Bug#898943: Multiple vulnerabiliities in Mongoose To: Debian Bug Tracking System <sub...@bugs.debian.org> Source: smplayer Severity: grave Tags: security smplayer seems to embed Cesenta Mongoose: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2891 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2892 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2893 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2894 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2895 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2909 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2921 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2922 Cheers, Moritz _______________________________________________ pkg-multimedia-maintainers mailing list pkg-multimedia-maintain...@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers -- regards, Reinhard
