Secunia
Login
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Thread: Insecure Ver. 0.8.6h notification doesn't go away after update (d...
You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.This thread was submitted in the following forum:
Programs
|
Relating to this vendor: VideoLAN |
And, this specific program: VLC media player 0.x |
| VopThis | Insecure Ver. 0.8.6h notification doesn't go away after update (dual boot: XP & VISTA) |
|---|---|
 |
25th Nov, 2008 17:01 |
|
Ranking: 0 Posts: 4 User Since: 29th Dec, 2007 System Score: 97% Location: N/A Last edited on 25th Nov, 2008 17:04 |
Remained as above even when updated to Ver. 0.8.6i. for quite some time now. Still unchanged when recently updated to ver 0.9.6. The file paths are all the same, as well: "C:Program FilesVideoLANVLCvlc.exe" "E:Program FilesVideoLANVLCvlc.exe" |
| debeul | RE: Insecure Ver. 0.8.6h notification doesn't go away after update (dual boot: XP & VISTA) | ||||||||
|
|
25th Nov, 2008 17:12 | ||||||||
| Score: 0 Posts: 9 User Since: 19th Dec 2007 System Score: N/A Location: N/A |
I asked Secunia about this problem. They responded: --- We are aware of VLC Media Player version 0.8.6i being detected as the insecure version 0.8.6h. The reason for this is that the developers behind VLC Media Player have forgot to update their programs file version information. The PSI looks at this information when determining the version of a program. Hopefully this error in the VLC Media Player will be corrected by its developers soon. Meanwhile you can open VLC Media Player, go to Help-->About... and check your currently installed version. If it says “VLC Media Player 0.8.6i” you have the latest version. --- |
||||||||
|
|||||||||
| war59312 | RE: Insecure Ver. 0.8.6h notification doesn't go away after update (dual boot: XP & VISTA) | ||||||||
|
|
26th Nov, 2008 03:33 | ||||||||
| Score: 3 Posts: 19 User Since: 26th Nov 2008 System Score: N/A Location: US |
Nope, still not fixed, even with VLC 0.9.6. | ||||||||
|
|||||||||
| E.Jeppesen | RE: Insecure Ver. 0.8.6h notification doesn't go away after update (dual boot: XP & VISTA) |
|
26th Nov, 2008 14:21 |
| Score: 175 Posts: 497 User Since: 24th Nov 2008 System Score: N/A Location: Copenhagen, DK |
Are both of the VLC installations reported as being insecure, or is it just one of them that is reported as insecure? Could you please provide us with the version number of each of the individual files. |
| VopThis | RE: Insecure Ver. 0.8.6h notification doesn't go away after update (dual boot: XP & VISTA) | ||||||||
|
|
26th Nov, 2008 15:30 | ||||||||
| Score: 0 Posts: 4 User Since: 29th Dec 2007 System Score: 97% Location: N/A |
Only one of them had been consistently reported as insecure (Ver. 0.8.6h) even when I had updated to Ver. 0.8.6i or ver 0.9.6. | ||||||||
|
|||||||||
| war59312 | RE: Insecure Ver. 0.8.6h notification doesn't go away after update (dual boot: XP & VISTA) | ||||||||
|
|
29th Nov, 2008 01:09 | ||||||||
| Score: 3 Posts: 19 User Since: 26th Nov 2008 System Score: N/A Location: US |
on 26th Nov, 2008 14:21, E.Jeppesen wrote: I only have VLC media player 0.9.6 installed.Are both of the VLC installations reported as being insecure, or is it just one of them that is reported as insecure? Could you please provide us with the version number of each of the individual files. Screen-shot of exe: http://img201.imageshack.us/img201/613/vlcet0.png |
||||||||
|
|||||||||
| VopThis | RE: Insecure Ver. 0.8.6h notification doesn't go away after update (dual boot: XP & VISTA) | ||||||||
|
|
1st Dec, 2008 14:09 | ||||||||
| Score: 0 Posts: 4 User Since: 29th Dec 2007 System Score: 97% Location: N/A |
All is now good in ver 0.9.7. | ||||||||
|
|||||||||
| poutnikl | RE: Insecure Ver. 0.8.6h notification doesn't go away after update (dual boot: XP & VISTA) | ||||||||
|
|
1st Dec, 2008 16:59 | ||||||||
| Score: 0 Posts: 38 User Since: 8th May 2008 System Score: N/A Location: N/A |
I have previously reported in other thread then my installation of VLC 0.9.6 is still reported as 0.9.4, even if in Help - about and at EXE file properties is reported as 0.9.6. Not sure if 0.9.6 was installed by EXE install, or from archive. Today I updated VLC to 0.9.7, due recent vulnerability from 7z package by plain overwriting. Doing fresh PSI scan it claimed it is still 0.9.4. In both places, mentioned above, EXE claims it is 0.9.7. I uninstall VLC keeping settings, deleted vLC folder and installed VLC from 0.9.7 EXE setup. PSI running at background withdraw its 0.9.4 vulnerability report, all was OK. |
||||||||
|
|||||||||
| highstream | RE: Insecure Ver. 0.8.6h notification doesn't go away after update (dual boot: XP & VISTA) | ||||||||
|
|
3rd Dec, 2008 02:11 | ||||||||
| Score: 6 Posts: 29 User Since: 19th Dec 2007 System Score: N/A Location: N/A Last edited on 3rd Dec, 2008 08:56 |
I have 0.9.6 and immediately before moving from RC4 to v.1.0, it showed as secure; afterward, it became insecure. After three reinstalls and rescans, PSI v. 1.0.0.1 still claims it is actually the earlier 0.8.6h version. I've read Secunia's write up about VLC, but that doesn't explain either the shifting status here, or how some people report it in this forum as secure, while others of us as insecure. I've checked the file location and it is correct. 0.9.6 may be insecure, too, but it would be nice if PSI would just recognize it consistently. Update: On the fourth installation, PSI finally recognized 0.9.6 as secure (which now seems contrary to this thread). |
||||||||
|
|||||||||
| jyd44 | RE: Insecure Ver. 0.8.6h notification doesn't go away after update (dual boot: XP & VISTA) | ||||||||
|
|
5th Dec, 2008 19:33 | ||||||||
| Score: 0 Posts: 1 User Since: 5th Dec 2008 System Score: N/A Location: N/A |
Same Issue: version PSI v1.0.0.1. Three VLC installed: - one in "standard directory" : c:\Program Files\Videolan\Vlc where version file is 0.9.6.99 (from the version tag in the property box) and reported by PSI as 0.8.6f - one in directory: "C:\Program Files\adslTV" where version file is 0.8.6f and reported by PSI as 0.8.6f - one in directory "C:\Program Files\HomePlayer\VLC" where version file is 0.8.6f and reported by PSI as 0.8.6f. version 0.8.6f is imposed by adslTV and Homeplayer applications. Nevertheless, only two VLC player should be reported as version 0.8.6f |
||||||||
|
|||||||||
| albue | RE: Insecure Ver. 0.8.6h notification doesn't go away after update (dual boot: XP & VISTA) | ||||||||
|
|
10th Dec, 2008 01:37 | ||||||||
| Score: 0 Posts: 1 User Since: 10th Dec 2008 System Score: N/A Location: N/A |
on 25th Nov, 2008 17:01, VopThis wrote: Remained as above even when updated to Ver. 0.8.6i. for quite some time now. Still unchanged when recently updated to ver 0.9.6. The file paths are all the same, as well: "C:Program FilesVideoLANVLCvlc.exe" "E:Program FilesVideoLANVLCvlc.exe" |
||||||||
|
|||||||||
| genegold99 | RE: Insecure Ver. 0.8.6h notification doesn't go away after update (dual boot: XP & VISTA) | ||||||||
|
|
10th Dec, 2008 02:59 | ||||||||
| Score: 5 Posts: 121 User Since: 25th Nov 2008 System Score: N/A Location: US |
Even after VideoLan pulled the 0.9.8 update, I found a download that was listed as 0.9.7 but in reality was 0.9.6. I guess it must have been a little different than the existing 0.9.6 (seen by PSI as 0.8.4h), because PSI accepted it. Today it turned insecure again because there is a v. 0.9.8 now available. With that, PSI is once again a happy camper. | ||||||||
|
|||||||||
| poutnikl | RE: Insecure Ver. 0.8.6h notification doesn't go away after update (dual boot: XP & VISTA) | ||||||||
|
|
10th Dec, 2008 09:53 | ||||||||
| Score: 0 Posts: 38 User Since: 8th May 2008 System Score: N/A Location: N/A |
Even 0.9.8 is vulnerable and there is 0.9.8a released. see ftp://ftp.videolan.org or http://downloads.videolan.org |
||||||||
|
|||||||||
| genegold99 | RE: Insecure Ver. 0.8.6h notification doesn't go away after update (dual boot: XP & VISTA) | ||||||||
|
|
10th Dec, 2008 17:18 | ||||||||
| Score: 5 Posts: 121 User Since: 25th Nov 2008 System Score: N/A Location: US |
on 10th Dec, 2008 09:53, poutnikl wrote: Even 0.9.8 is vulnerable and there is 0.9.8a released. see ftp://ftp.videolan.org or http://downloads.videolan.org[/quote] Yes, and it was still showing as 0.8.x |
||||||||
|
|||||||||
| poutnikl | RE: Insecure Ver. 0.8.6h notification doesn't go away after update (dual boot: XP & VISTA) | ||||||||
|
|
10th Dec, 2008 17:24 | ||||||||
| Score: 0 Posts: 38 User Since: 8th May 2008 System Score: N/A Location: N/A Last edited on 10th Dec, 2008 17:25 |
Not mine, mine is properly shown as 0.9.8a. In time I had 0.9.6, it was false reported aas 0.9.4. Then I recalled myself I innstalled 0.9.4 by setup, but updated to 0.9.6 from archive by owerwriting. I run uninstaller, keeping settings, run 0.9.6 installer and voila - PSI reported it properly. It could be due some browser VLC plugins, that setup installs. |
||||||||
|
|||||||||
| genegold99 | RE: Insecure Ver. 0.8.6h notification doesn't go away after update (dual boot: XP & VISTA) | ||||||||
|
|
10th Dec, 2008 17:51 | ||||||||
| Score: 5 Posts: 121 User Since: 25th Nov 2008 System Score: N/A Location: US |
What I was referring to was when it showed as insecure this morning with 0.9.6, it showed as 0.8.4h. That was after the after the uninstall/new install yesterday of 0.9.6. After the update PSI likes it again, showing 0.9.6a. Well, if its showing as secure in PSI yesterday as 0.9.6 yesterday and 0.8.4h today, then is that VLC or PSI? | ||||||||
|
|||||||||
| poutnikl | RE: Insecure Ver. 0.8.6h notification doesn't go away after update (dual boot: XP & VISTA) | ||||||||
|
|
10th Dec, 2008 17:56 | ||||||||
| Score: 0 Posts: 38 User Since: 8th May 2008 System Score: N/A Location: N/A |
0.96a or 0.9.8a ? Because I am not aware about any 0.9.6a version. | ||||||||
|
|||||||||
| Labuszewski | RE: Insecure Ver. 0.8.6h notification doesn't go away after update (dual boot: XP & VISTA) | ||||||||
|
|
8th Jan, 2009 10:34 | ||||||||
| Score: 0 Posts: 1 User Since: 15th Dec 2008 System Score: N/A Location: N/A Last edited on 8th Jan, 2009 10:36 |
on 25th Nov, 2008 17:01, VopThis wrote: Remained as above even when updated to Ver. 0.8.6i. for quite some time now. Still unchanged when recently updated to ver 0.9.6. The file paths are all the same, as well: "C:Program FilesVideoLANVLCvlc.exe" "E:Program FilesVideoLANVLCvlc.exe" |
||||||||
|
|||||||||
| genegold99 | RE: Insecure Ver. 0.8.6h notification doesn't go away after update (dual boot: XP & VISTA) | ||||||||
|
|
3rd Apr, 2009 22:02 | ||||||||
| Score: 5 Posts: 121 User Since: 25th Nov 2008 System Score: N/A Location: US |
VLC has just updated to 0.9.9, but is getting the same false positive with PSI after automatic or full scans, showing an 0.8.x version. It then corrects itself on rescan of the application, and the correct version shows under the Patched software. I made screenshots of before, during and after and sent them to PSI support. Maybe if some others do the same, the problem will be detected, explained and corrected. The address can be found near the bottom of http://secunia.com/vulnerability_scanning/personal... | ||||||||
|
|||||||||
