MGASA-2021-0313 - Updated live packages fix security vulnerabilities Publication date: 04 Jul 2021 URL: https://advisories.mageia.org/MGASA-2021-0313.html Type: security Affected Mageia releases: 7, 8 CVE: CVE-2019-15232, CVE-2021-28899 Updated live packages fix security vulnerabilities: Live555 before 2019.08.16 has a Use-After-Free because GenericMediaServer::createNewClientSessionWithId can generate the same client session ID in succession, which is mishandled by the MPEG1or2 and Matroska file demultiplexors (CVE-2019-15232). Vulnerability in the AC3AudioFileServerMediaSubsession, ADTSAudioFileServerMediaSubsession, and AMRAudioFileServerMediaSubsessionLive OnDemandServerMediaSubsession subclasses in Networks LIVE555 Streaming Media before 2021.3.16 (CVE-2021-28899). The mplayer package has been rebuilt against the updated live package. References: - https://bugs.mageia.org/show_bug.cgi?id=29175 - https://lists.live555.com/pipermail/live-devel/2021-March/021891.html - https://live555.com/liveMedia/public/changelog.txt - https://lists.opensuse.org/archives/list/[email protected]/thread/Y7ZOGH7UAC6Q7OJHR62KOMWS64YF4G73/ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15232 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28899 SRPMS: - 7/tainted/mplayer-1.4-1.1.mga7.tainted - 7/core/live-2021.06.25-1.mga7 - 7/core/mplayer-1.4-1.1.mga7 - 8/tainted/mplayer-1.4-9.3.mga8.tainted - 8/core/live-2021.06.25-1.mga8 - 8/core/mplayer-1.4-9.3.mga8