[MPlayer-users] Why no security advisory for CVE-2008-3827

Attila Kinali attila at kinali.ch
Sun Oct 12 14:58:38 CEST 2008


On Sun, 12 Oct 2008 14:18:48 +0200
Manuel Reimer <Manuel.Spam at nurfuerspam.de> wrote:

> Loren Merritt wrote:
> > Did you miss the part in the very page you linked which says the bug was 
> > fixed before the CERT was published, and links to the commit?
> 
> And so it's my job to backport this commit to get it to work with 
> Mplayer 1.0 RC2?

Note: It's MPlayer, not Mplayer.
 
> > Or do you expect us to release a new official binary every time some bug 
> > gets fixed?
> 
> No, but you could have placed the patch to
> 
> ftp://ftp1.mplayerhq.hu/MPlayer/patches
> 
> and you could have published some information to the homepage of 
> mplayer. How should Mplayer 1.0 RC2 users find out that they have to 
> patch and recompile if you don't tell them?

If you are a normal user, you shouldn't use rc2 anyways, but svn.
Otherwise you'll work with an totaly outdated version of MPlayer
with tons of bugs and security issues.
If you are a packager for a distribution, you should be able
to extract the needed information to patch your package.

			Attila Kinali

-- 
The true CS students do not need to know how to program.
They learn how to abstract the process of programming to
the point of making programmers obsolete.
		-- Jabber in #holo



More information about the MPlayer-users mailing list