Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: PSI 2 shows VLC 2.1.3.0 marked as patched despite SA59285 !

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
PSI

This thread has been marked as locked.
klausus02 PSI 2 shows VLC 2.1.3.0 marked as patched despite SA59285 !
Member 3rd Jul, 2014 16:44
Ranking: 4
Posts: 73
User Since: 4th Feb, 2011
System Score: N/A
Location: DE
PSI 2.0.0.4003 doesn't flag VLC 2.1.3.0 as insecure although Secunia Advisory SA59285 is stil valid! Is there an error in the PSI database?

This issue is sayed to be fixed in VLC 2.1.5, which isn't out official.

regards
Klaus Junke


Maurice Joyce RE: PSI 2 shows VLC 2.1.3.0 marked as patched despite SA59285 !
Handling Contributor 3rd Jul, 2014 18:56
Score: 11720
Posts: 8,956
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Is it stating that after a full PSI scan?

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
klausus02 RE: PSI 2 shows VLC 2.1.3.0 marked as patched despite SA59285 !
Member 3rd Jul, 2014 19:05
Score: 4
Posts: 73
User Since: 4th Feb 2011
System Score: N/A
Location: DE
Yes, exactly.
Was this reply relevant?
+0
-0
klausus02 RE: PSI 2 shows VLC 2.1.3.0 marked as patched despite SA59285 !
Member 6th Jul, 2014 12:44
Score: 4
Posts: 73
User Since: 4th Feb 2011
System Score: N/A
Location: DE
Anything new? Is Secunia going to update their database?

regards
klaus
Was this reply relevant?
+0
-0
klausus02 RE: PSI 2 shows VLC 2.1.3.0 marked as patched despite SA59285 !
Member 12th Jul, 2014 10:24
Score: 4
Posts: 73
User Since: 4th Feb 2011
System Score: N/A
Location: DE
@Maurice
I wonder why there is no reaction from Secunia. Now, I'm not shure anymore. Am I wrong about claiming a database-update? Can you please help me to get more understanding?

regards
Klaus
Was this reply relevant?
+0
-0
Maurice Joyce RE: PSI 2 shows VLC 2.1.3.0 marked as patched despite SA59285 !
Handling Contributor 13th Jul, 2014 21:52
Score: 11720
Posts: 8,956
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Klaus
From my research I think you are mistaken in thinking that version 2.1.3.0 is vulnerable but that does not excuse the appalling lack of support you & others with valid questions are receiving from Secunia on this Forum.

Please be aware I do not work for or represent Secunia in any way. Secunia are well known for their total lack of communication skills which has not improved despite a promise made by a Director a long time ago after complaints on their lack of support or interest.

VLC.
Secunia SA59285 is reporting that version 2.1.4 is vulnerable. This appears to be a developer release & not available to the general public via the official download link - http://www.videolan.org/vlc/
but is available to Mac - http://www.videolan.org/vlc/download-macosx.html

It looks like 2.1.4 is downloadable from here http://sourceforge.net/projects/vlc/ and one or two other well known dross downloader sites like Softpedia.

Please note that I do not use VLC or PSI so some of my research may require a VLC "expert" eye to embellish my findings.

I carried out some tests using PSI V 3.0.0.9016 on Windows 8.1. Firstly I downloaded VLC from here:
http://www.videolan.org/vlc/

I then scanned with 3 different vulnerability checkers - Secunia PSI & the much more reliable Qualy & Heimdal scanners - they all report version 2.1.3.0 as present,up to date & secure.

https://1ncuig.bn1.livefilestore.com/y2p3bf1BNEJV3...

These additional checks appear to support the fact that version 2.1.0.3 is not insecure - have you seen some information that indicates this version is vulnerable?

I then installed version 2.1.4.0 from here http://sourceforge.net/projects/vlc/

Qualy & Heimdal do not display this version after a scan but oddly enough PSI does:

https://1ncuig.bn1.livefilestore.com/y2plcq2p2PZOI...

The scan result appears to contradict SA59285.

In a nutshell I believe version 2.1.3.0 is not vulnerable - not so sure about the status of version 2.1.4.0 until Secunia clarify their position.

Given the reluctance of Secunia to communicate perhaps best you contact Videolan if more details are required:
http://www.videolan.org/support/

Hope this helps a bit!


--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
klausus02 RE: PSI 2 shows VLC 2.1.3.0 marked as patched despite SA59285 !
Member 14th Jul, 2014 14:18
Score: 4
Posts: 73
User Since: 4th Feb 2011
System Score: N/A
Location: DE
Last edited on 14th Jul, 2014 14:35
@Maurice
Thank you for your response.

on 13th Jul, 2014 21:52, Maurice Joyce wrote:

VLC.
... Secunia SA59285 is reporting that version 2.1.4 is vulnerable....


I'm not sure. SA59285 says: "The vulnerability is reported in version 2.1.4. Other versions may also be affected."

Also you can read this:
http://www.videolan.org/developers/vlc-branch/NEWS

saying that VideoLan is going to fix the vulnerability. But no information about when the new version is being released.

For Linux VideoLan has released VLC 2.1.5 already here:
http://download.videolan.org/pub/videolan/vlc/2.1....

on 13th Jul, 2014 21:52, Maurice Joyce wrote:

I then scanned with 3 different vulnerability checkers - Secunia PSI & the much more reliable Qualy & Heimdal scanners - they all report version 2.1.3.0 as present,up to date & secure.


Hope that they realy have looked into
http://www.videolan.org/developers/vlc-branch/NEWS ...


on 13th Jul, 2014 21:52, Maurice Joyce wrote:

In a nutshell I believe version 2.1.3.0 is not vulnerable - not so sure about the status of version 2.1.4.0 until Secunia clarify their position.


Yes, I agree. Secunia has to make a statement!

regard
Klaus


Was this reply relevant?
+0
-0
klausus02 RE: PSI 2 shows VLC 2.1.3.0 marked as patched despite SA59285 !
Member 15th Jul, 2014 21:03
Score: 4
Posts: 73
User Since: 4th Feb 2011
System Score: N/A
Location: DE
Last edited on 15th Jul, 2014 21:13
on 13th Jul, 2014 21:52, Maurice Joyce wrote:


Given the reluctance of Secunia to communicate perhaps best you contact Videolan if more details are required:
http://www.videolan.org/support/


Maurice,

I asked the videolan forum and Jean-Baptist Kempf confirmed this security issue!
https://forum.videolan.org/viewtopic.php?f=14&t=12...

@Secunia Official
Shure, SA59285 is absolute correct !!

regards
Klaus

Was this reply relevant?
+0
-0
Maurice Joyce RE: PSI 2 shows VLC 2.1.3.0 marked as patched despite SA59285 !
Handling Contributor 15th Jul, 2014 23:00
Score: 11720
Posts: 8,956
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Klaus,
If you are saying that 2.1.3.0 is secure I agree.

If you are also saying that Secunia is correct in highlighting that 2.1.4.0 is vulnerable in SA59285 I agree.

What I do not agree with is that a PSI scan clearly shows that 2.1.4.0 is NOT vulnerable when installed on a PC.

Secunia cannot have it both ways - the vendor has confirmed the SA is correct but Secunia's database is certainly not - it should show users it is vulnerable.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
klausus02 RE: PSI 2 shows VLC 2.1.3.0 marked as patched despite SA59285 !
Member 16th Jul, 2014 09:32
Score: 4
Posts: 73
User Since: 4th Feb 2011
System Score: N/A
Location: DE
Last edited on 16th Jul, 2014 09:34
Maurice,

I did not say that VLC 2.1.3 is secure. I said that VLC 2.1.3 is unsecure!

And SA59285 states:
The vulnerability is reported in version 2.1.4. Other versions may also be affected.

And videolan has confirmed that VLC 2.1.3 is unsecure.

For Windows there exists no official release of VLC 2.1.4 by VideoLan.

The official VideoLan-download links are pointing to VLC 2.1.3-win32 -
http://www.videolan.org/vlc/#download

respectively VLC 2.1.3-win64 -
http://download.videolan.org/pub/videolan/vlc/last...

VLC 2.1.4 is officially released for mac only.

Neverthless, as you wrote:
on 15th Jul, 2014 23:00, Maurice Joyce wrote:
the vendor has confirmed the SA is correct but Secunia's database is certainly not - it should show users it is vulnerable.


Secunia should finaly update their database!

- Klaus

Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability