Your message dated Sat, 17 Feb 2018 23:50:20 +0000 with message-id <e1encfi-0005mp...@fasolo.debian.org> and subject line Bug#890410: fixed in mpv 0.27.2-1 has caused the Debian Bug report #890410, regarding mpv: fix for CVE-2018-6360 overlooks subtitles to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 890410: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890410 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: mpv Version: 0.23.0-1 Severity: grave Tags: security upstream Yet another bug relating to the fix for CVE-2018-6360... This time the bug is not a regression, but a mistake upstream made when writing the original patch. Upstream overlooked the handling of subtitle URLs which were not protected. Upstream has released 0.27.2 and 0.28.2 to fix these. I think the bug affects 0.23 as well (but I have not yet checked). Possibly this warrants a new CVE number. Upstream commit: https://github.com/mpv-player/mpv/commit/3e71eb8676de53a05f51b987d294e7d2fa0a5bc1 James
signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---Source: mpv Source-Version: 0.27.2-1 We believe that the bug you reported is fixed in the latest version of mpv, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 890...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. James Cowgill <jcowg...@debian.org> (supplier of updated mpv package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 16 Feb 2018 22:56:00 +0000 Source: mpv Binary: mpv libmpv1 libmpv-dev Architecture: source Version: 0.27.2-1 Distribution: unstable Urgency: medium Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintain...@lists.alioth.debian.org> Changed-By: James Cowgill <jcowg...@debian.org> Description: libmpv-dev - video player based on MPlayer/mplayer2 (client library dev files) libmpv1 - video player based on MPlayer/mplayer2 (client library) mpv - video player based on MPlayer/mplayer2 Closes: 890410 Changes: mpv (0.27.2-1) unstable; urgency=medium . * New upstream bugfix release. - Also whitelist subtitle URLs in youtube-dl hook. (Closes: #890410) Checksums-Sha1: 28a64e532020d45f0b8ef5089aa9935ed580cd7b 2862 mpv_0.27.2-1.dsc 764e23136ccec9dc8743f2c63b3d5fbd8a1bf427 2957191 mpv_0.27.2.orig.tar.gz ea3624b5a37ad375b3e4a4fa087967cc2e45efb8 105516 mpv_0.27.2-1.debian.tar.xz 6d4d709e0e33e0499d97b3834454ec3936c193a8 14299 mpv_0.27.2-1_source.buildinfo Checksums-Sha256: 8ce4cbf2d5f11f3043062e42bf0870d80b884b63543d69b368b10d7b4db766ab 2862 mpv_0.27.2-1.dsc 2ad104d83fd3b2b9457716615acad57e479fd1537b8fc5e37bfe9065359b50be 2957191 mpv_0.27.2.orig.tar.gz 144c37e91d61465bedee9b34d460f906ac5b07845f3b9bf02774a602c94fd819 105516 mpv_0.27.2-1.debian.tar.xz 076d7413763d68f7e8b14694d78ff360fcce039dd381fc29daacabae1a4d0a31 14299 mpv_0.27.2-1_source.buildinfo Files: bf8812d14a81cb736c31ad344624cc86 2862 video optional mpv_0.27.2-1.dsc 8cfb48e921e58c0d9d181d96d4809beb 2957191 video optional mpv_0.27.2.orig.tar.gz ad3e73c86dfaf8354addd45964ebf56f 105516 video optional mpv_0.27.2-1.debian.tar.xz 8435f07681626ea28f40ab93a89b8bd2 14299 video optional mpv_0.27.2-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEE+Ixt5DaZ6POztUwQx/FnbeotAe8FAlqHYrkUHGpjb3dnaWxs QGRlYmlhbi5vcmcACgkQx/FnbeotAe+GUA//X6ikm22zueHYi0xsSmSrxHgsfmLw B57HMXguhKA8ucjpkkBugOL5J5ZU3I4wmxfAcHfyphIhLL5YqkyCORO6r4WWgEnI VSb/21J+bVs2a8N0FZrXZ+a+qhjkV/t7qyoQEbYVOrvdtwH2UPaABT714IsHymBr y5lVZ5XgprZ3rIsrUW9yyQULKDjOfmRtELv7qYdAHbCQhqEXj0SLksnSAIkSsh2g rNHU5GDW/49mX9GVSRA2nLzcvaDiWVjUQV7ZocLdiIC2BEOoxy9A//r5HldfS8O3 Mns3t0nKxzIB8ymZVmRZ5wvjbUKQL7c1FTbKLvcr2VTg8KSZnpy5syRHzz6DwrMS sK6QLaOdvwFXPpCZaGjgA+Npa6amRNwsIbuWwD66/k+NQS6aFOkl2yD3arZfjJ1E mcyFXzIsPysOEpEv+CbtZXOR/zFtFNocd5BgNBI323ovlJ3Z8Dl6DUPu8kQgpHwK jURDmEjguxlMhUuYRb0shuLDAD3DjwnzMX9OENrE3AtWKyPUA1vxZ+TlRLUTx2iE CRJlrXRmMQe2izytP4J+8z23tJavcaYEfqyk+Sene9KVv7aoGqL8UBnaucdkGJCL RwejE9GdHMQ+0ftueF8BPsaLLtKLjjDw2uzBmQv32kw2ofB6dp/I5x8z3SkZ3DkM CafRbkeVWTtkXhA= =cdqS -----END PGP SIGNATURE-----
--- End Message ---
