Mageia alert MGASA-2021-0313 (live)
| From: | Mageia Updates <buildsystem-daemon@mageia.org> | |
| To: | updates-announce@ml.mageia.org | |
| Subject: | [updates-announce] MGASA-2021-0313: Updated live packages fix security vulnerabilities | |
| Date: | Sun, 04 Jul 2021 04:15:05 +0200 | |
| Message-ID: | <20210704021505.2942FA013F@duvel.mageia.org> | |
| Archive-link: | Article |
MGASA-2021-0313 - Updated live packages fix security vulnerabilities Publication date: 04 Jul 2021 URL: https://advisories.mageia.org/MGASA-2021-0313.html Type: security Affected Mageia releases: 7, 8 CVE: CVE-2019-15232, CVE-2021-28899 Description: Updated live packages fix security vulnerabilities: Live555 before 2019.08.16 has a Use-After-Free because GenericMediaServer::createNewClientSessionWithId can generate the same client session ID in succession, which is mishandled by the MPEG1or2 and Matroska file demultiplexors (CVE-2019-15232). Vulnerability in the AC3AudioFileServerMediaSubsession, ADTSAudioFileServerMediaSubsession, and AMRAudioFileServerMediaSubsessionLive OnDemandServerMediaSubsession subclasses in Networks LIVE555 Streaming Media before 2021.3.16 (CVE-2021-28899). The mplayer package has been rebuilt against the updated live package. References: - https://bugs.mageia.org/show_bug.cgi?id=29175 - http://lists.live555.com/pipermail/live-devel/2021-March/... - http://live555.com/liveMedia/public/changelog.txt - https://lists.opensuse.org/archives/list/security-announc... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-2... SRPMS: - 7/tainted/mplayer-1.4-1.1.mga7.tainted - 7/core/live-2021.06.25-1.mga7 - 7/core/mplayer-1.4-1.1.mga7 - 8/tainted/mplayer-1.4-9.3.mga8.tainted - 8/core/live-2021.06.25-1.mga8 - 8/core/mplayer-1.4-9.3.mga8