Bug#772896: browser-plugin-vlc: VLC Web Plugin is outdated and vulnerable
Sebastian Ramacher
sramacher at debian.org
Fri Dec 12 02:48:01 UTC 2014
Control: severity -1 normal
Control: reassign -1 iceweasel 31.3.0esr-1
Control: retitle -1 iceweasel: broken vlc plugin version check
On 2014-12-12 01:56:46, Vincent Lefevre wrote:
> Package: browser-plugin-vlc
> Version: 2.0.6-4
> Severity: grave
> Tags: security upstream
> Justification: user security hole
>
> https://www.mozilla.org/en-US/plugincheck/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=plugincheck-update
>
> says that the VLC Web Plugin is outdated and vulnerable.
>
> Note: about:plugins confirms that this is the Debian one
> (/usr/lib/mozilla/plugins/libvlcplugin.so).
To quote Rémi from #751940#27:
> The Mozilla foundation writes code for an alternate reality where the
> version number of the VLC NPAPI plugin and the (Lib)VLC run-time have
> identical version numbers. Indeed (Lib)VLC version 2.0.0 has security
> issues. But that says nothing of version 2.0.0 of the VLC NPAPI plugin.
>
> In other words, the bug lies within the version checks of the Mozilla
> browser.
Reassigning to iceweasel. We already have #751940 to track the version
reporting issue on the VLC NPAPI plugin side.
Cheers
--
Sebastian Ramacher
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20141212/6f50b9e8/attachment.sig>
More information about the pkg-multimedia-maintainers
mailing list