-
vlc (2.2.7-1~deb8u1) jessie-security; urgency=high
* New upstream release.
- Fix crash in libavcodec module (heap write out-of band). (CVE-2017-10699)
- Fix flac heap write overflow on format change. (CVE-2017-9300)
- Fix AVI read/write overflow.
-- Sebastian Ramacher <email address hidden> Sun, 19 Nov 2017 16:28:34 +0100
-
vlc (2.2.6-1~deb8u1) jessie-security; urgency=high
* New upstream release.
- subtitle: Fix heap buffer overflows (CVE-2017-8312).
- subtitle: Fix invalid double increment (CVE-2017-8311).
- flac: Fix potential out-of-band dereference.
- mpeg: Fix potential out-of-band reads.
- subtitle: Fix infinite loop.
- ogg: Fix incorrect memory free.
- subtitle: Fix potential out-of-band reads (CVE-2017-8310, CVE-2017-8313).
-- Sebastian Ramacher <email address hidden> Thu, 25 May 2017 11:57:56 +0200
-
vlc (2.2.5-1~deb8u1) jessie; urgency=medium
* New upstream release.
- adpcm: Fix heap corruption.
- dvd: Fix heap corruption.
- asf: Fix integer overflow.
- mp4: Fix divide-by-zero error and heap buffer overflow.
- flac: Fix integer overflow and NULL pointer dereference.
- ftp: Fix scan string injection.
- voc: Fix divide-by-zero error.
- xa: Fix divide-by-zero error.
- smf: Fix divide-by-zero error.
- nsvf: Fix infinite loop.
- aiff: Fix infinite loop.
-- Sebastian Ramacher <email address hidden> Fri, 07 Apr 2017 19:32:28 +0200
-
vlc (2.2.4-1~deb8u1) jessie-security; urgency=medium
* New upstream release.
- quicktime: Reject invalid IMA files (CVE-2016-5108). (Closes: #825728)
- pulse: Compute latency correctly if negative, fixing missing audio on
high network latency. (Closes: #784640)
- alsa: Fix audio device selection. (Closes: #801448)
- hls: Fix hang on stop, crashes and stack overflow.
- mkv: Fix infinite loop.
- vpx: Fix crash.
- mxf: Fix crash on stop.
- adpcm: Fix double-free.
- zvbi: Fix crash.
- skins2: Fix crash on malformed skin bitmaps.
- swscale: Fix crashes in swscale resizing.
- mp4: Fix divide-by-zero crash in mux.
- rtsp: Fix off-by-one buffer overflow.
- mms: Fix segmentation fault on large allocation, fix overflows.
- lua: Fix use-after-free.
- httplive: Fix stack overflow.
- avformat: Fix heap overflow, NULL dereference and double-free.
- avcodec: Fix invalid free.
- sdp: Fix read overflow.
- vcd: Fix double-free.
- aout: Fix use-after-free.
- vout: Fix use-after-free.
- realrtsp: Fix off-by-one and various crashes.
- Fix various memory leaks.
- Fix links to French TV icons. (Closes: #782229)
* debian/patches/CVE-2015-5949.patch: Removed, included upstream.
* debian/copyright: Update copyright years.
* debian/libvlc5.symbols: Bump version of libvlc_event_type_name for new
event names.
-- Sebastian Ramacher <email address hidden> Sun, 05 Jun 2016 17:39:38 +0200
-
vlc (2.2.1-1~deb8u1) jessie; urgency=medium
[ Sebastian Ramacher ]
* New upstream release.
* debian/patches: Removed
codec-schroedinger-fix-potential-buffer-overflow.patch,
demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch, and
stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch. They are
included upstream.
* debian/libvlccore8.symbols: Bump version requirements for meta data
change. (Closes: #798763, #798899)
[ Benjamin Drung ]
* drop/rules: Drop removed --enable-glx configure flag.
-- Sebastian Ramacher <email address hidden> Fri, 01 Jan 2016 20:21:31 +0100
-
vlc (2.2.0~rc2-2+deb8u1) jessie-security; urgency=high
* Non-maintainer upload by the Security Team.
* Add CVE-2015-5949.patch patch.
CVE-2015-5949: Insufficient restrictions on a writable buffer in the 3GP
file format parser can be exploited to execute arbitrary code via a
specially crafted 3GP file.
-- Salvatore Bonaccorso <email address hidden> Wed, 19 Aug 2015 15:45:17 +0200
-
vlc (2.2.0~rc2-2) unstable; urgency=medium
* debian/patches: Apply upstream patches for security vulnerabilities.
(Closes: #775866)
- codec-schroedinger-fix-potential-buffer-overflow.patch: fix potential
buffer overflow. (CVE-2014-9629)
- demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch: fix buffer
overflow in parsing of string boxes. (CVE-2014-9626, CVE-2014-9627,
CVE-2014-9628)
- stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch: don't use
VLA for user controlled data. (CVE-2014-9630)
-- Sebastian Ramacher <email address hidden> Wed, 21 Jan 2015 22:41:57 +0100
-
vlc (2.2.0~rc2-1) unstable; urgency=medium
* New upstream release.
- Fix segfault in ASCII art plugin. (Closes: #768873)
- Fix selection of left/right channel in stereo mode. (Closes: #765830)
-- Sebastian Ramacher <email address hidden> Sun, 23 Nov 2014 13:14:07 +0100
-
vlc (2.2.0~rc1-1) unstable; urgency=low
* New upstream release.
* debian/vlc-nox.install.in: Correctly install sftp plugin.
-- Sebastian Ramacher <email address hidden> Fri, 07 Nov 2014 17:26:34 +0100
-
vlc (2.2.0~pre4-2) unstable; urgency=medium
* Revert "Disable FreeRDP plugin". (Closes: #764294)
-- Sebastian Ramacher <email address hidden> Sun, 26 Oct 2014 00:02:11 +0200
-
vlc (2.2.0~pre4-1) unstable; urgency=medium
* New upstream release.
- Add video/ogg and audio/ogg to desktop file. (Closes: #762564)
- Fix output issues with VDPAU. (Closes: #759818)
-- Sebastian Ramacher <email address hidden> Tue, 07 Oct 2014 00:26:32 +0200
-
vlc (2.2.0~pre3-1) unstable; urgency=medium
[ Mateusz Łukasik ]
* Fix typo in changelog
[ Benjamin Drung ]
* New upstream release.
* Disable vpx plugin (not needed when having libavcodec)
* Remove hurd.patch, because this is a bug in Hurd and not in VLC.
* Disable OSS on Linux (Use ALSA on Linux instead of OSS.)
[ Sebastian Ramacher ]
* Disable FreeRDP plugin as requested by the Release Team because FreeRDP is
currently broken. This allows us to finish the libav and libvlccore
transition. As soon as FreeRDP is fixed, this change can be reverted:
- debian/control: Remove libfreerdp-dev from Build-Depends.
- debian/rules: Build with --disable-freerdp.
- debian/vlc.install: Do not install the FreeRDP plugin.
* debian/control:
- Remove libdirac-dev from Build-Depends. It is no longer needed.
- Bump Standars-Version. No changes required.
-- Sebastian Ramacher <email address hidden> Sat, 27 Sep 2014 18:13:50 +0200
-
vlc (2.2.0~pre2-4) unstable; urgency=medium
* debian/vlc-nox.install.in: libi420_yuy2_altivec_plugin.so moved to
video_chroma. Fixes package build failure on powerpc.
* Enable shine and vpx plugins:
- debian/control: Add libshine-dev and libvpx-dev to B-D.
- debian/rules: Pass --enable-shine and --enable-vpx.
- debian/vlc-nox.isntall.in: Install new plugins.
* debian/rules: Explicitly disable libtar support.
* debian/control: Lower Recommends: libdvdcss2 to Suggests to comply with
Policy §2.2.1. Thanks to Thorsten Alteholz.
-- Sebastian Ramacher <email address hidden> Mon, 25 Aug 2014 22:58:42 +0200
-
vlc (2.1.5-1) unstable; urgency=medium
[ Benjamin Drung ]
* New upstream release.
* Add FFmpeg libraries as alternative build dependencies to libav.
* Enable VDPAU hardware decoder support.
[ Mateusz Łukasik ]
* Fix FTBFS on hurd. (Closes: #742183)
-- Benjamin Drung <email address hidden> Mon, 19 May 2014 13:56:41 +0200
-
vlc (2.1.4-1) unstable; urgency=medium
* New upstream release (Closes: #742625, LP: #1276650)
* SECURITY UPDATE: crafted ASF file handling integer divide-by-zero DoS
- CVE-2014-1684
(Closes: #743033)
-- Benjamin Drung <email address hidden> Sun, 11 May 2014 00:57:13 +0200
-
vlc (2.1.2-2) unstable; urgency=medium
* Team upload.
* debian/vlc-data.postinst: Check if a directory exists before trying to
remove it. (Closes: #732806)
-- Sebastian Ramacher <email address hidden> Tue, 31 Dec 2013 15:19:27 +0100
-
vlc (2.1.2-1) unstable; urgency=medium
[ Benjamin Drung ]
* New upstream release.
- Fix build failure with freetype 2.5.1 (Closes: #731513)
* Add gpg signature check to watch file.
[ Mateusz Łukasik ]
* Bump Standards-Version to 3.9.5 (no changes needed).
-- Benjamin Drung <email address hidden> Sat, 21 Dec 2013 21:18:56 +0100
-
vlc (2.1.1-1) unstable; urgency=low
* New upstream release.
* Drop altivec patch (fixed upstream).
* Remove obsolete conffiles (Closes: #703750).
-- Benjamin Drung <email address hidden> Mon, 18 Nov 2013 21:46:53 +0100
-
vlc (2.1.0-2) unstable; urgency=high
* Remove mmx and sse2 plugins on non-x86 hardware. (Closes: #727831)
* Disable Video4Linux2 on kFreeBSD due to a build failure. (Closes: #728130)
* Switch to debhelper 9.
* Update minimum version of build dependencies.
* Explicitly disable plugins that we do not build.
* Fix build failure on powerpc by correcting the detection of compiler flags
for altivec.
* Drop link-binaries-with-c++.patch.
* Remove the libvaapi plugin from vlc if libva is disabled.
* Enable libva on kFreeBSD.
-- Benjamin Drung <email address hidden> Tue, 29 Oct 2013 01:55:40 +0100
-
vlc (2.0.8-1) unstable; urgency=low
* New upstream release.
* Drop fix-ftbfs-flac-1.3.patch (applied upstream).
-- Benjamin Drung <email address hidden> Thu, 01 Aug 2013 14:19:42 +0200
-
vlc (2.0.7-3) unstable; urgency=low
* Drop unused build-dependencies on libglib2.0-0, libsvga1-dev,
libx11-xcb-dev, and libxt-dev. (Closes: #713989)
-- Benjamin Drung <email address hidden> Mon, 24 Jun 2013 23:07:03 +0200
-
vlc (2.0.6-1) unstable; urgency=low
* New upstream release (LP: #1166189).
* Drop backported man page patch.
-- Benjamin Drung <email address hidden> Mon, 08 Apr 2013 15:47:10 +0200
