Secunia
Login
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Thread: Update to nonexistant version
You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.This thread was submitted in the following forum:
Programs
|
Relating to this vendor: VideoLAN |
And, this specific program: VLC media player 0.x |
| Chickenbone | Update to nonexistant version |
|---|---|
 |
2nd Dec, 2008 00:06 |
|
Ranking: 0 Posts: 1 User Since: 22nd Feb, 2008 System Score: N/A Location: N/A |
I have PSI 1.0.0.1 installed. It has detected VLC 0.9.6, which is correct. It wants me to upgrade to VLC 0.9.7, but this version does not exist for Windows. I don't want to ignore the software as future upgrades will come out, but this is rather annoying! |
| navysquid1 | RE: Update to nonexistant version | ||||||||
|
|
2nd Dec, 2008 03:13 | ||||||||
| Score: 0 Posts: 1 User Since: 26th Oct 2008 System Score: N/A Location: N/A Last edited on 2nd Dec, 2008 03:14 |
Per the Videolan site, the correct new version is 0.9.8, but it is not yet available in compiled form, so you have to get the source code and compile it manually. The interim advice is to avoid opening untrusted files (files from untrusted sources). http://www.videolan.org/security/sa0811.html The compiled version should be available withing the next few days. I also noted that the download button in PSI is not working for this program. |
||||||||
|
|||||||||
| jtrangsr | RE: Update to nonexistant version | ||||||||
|
|
2nd Dec, 2008 15:26 | ||||||||
| Score: 0 Posts: 2 User Since: 27th Feb 2008 System Score: N/A Location: N/A |
In searching around their site, I found there are tar files available for 0.9.7, but not any windows files. | ||||||||
|
|||||||||
| E.Jeppesen | RE: Update to nonexistant version |
|
2nd Dec, 2008 15:36 |
| Score: 165 Posts: 490 User Since: 24th Nov 2008 System Score: N/A Location: Copenhagen, DK Last edited on 2nd Dec, 2008 15:38 |
Thank you for reporting this. It appears that the guys from VLC have retracted the 0.9.7 version from their mirrors (it was available for download for a few hours yesterday). We have temporarily adjusted our detection signatures until a permanent solution is available from the vendor. We will naturally update our detection signatures as soon as the new version is re-released on their website. |
| jtrangsr | RE: Update to nonexistant version | ||||||||
|
|
2nd Dec, 2008 17:53 | ||||||||
| Score: 0 Posts: 2 User Since: 27th Feb 2008 System Score: N/A Location: N/A |
What is/was vulnerable about 0.9.6 that 0.9.7 addresses? This puts into question your assessment criteria for assigning an "insecure" status to a program. 1. If VPL media player 0.9.6 was really vulnerable, then it should have remained in the insecure status even though a fix is not yet available. Many times proof of concepts are published in order to force a manufacturer to come up with a solution. This happens quite often to a particular Redmond-based software company. 2. On the flip side, just because a new version is available, doesn't automatically make the previous version "insecure". They may have just fixed a compatibility issue or added more languages. |
||||||||
|
|||||||||
| BigDave_39 | RE: Update to nonexistant version | ||||||||
|
|
2nd Dec, 2008 18:11 | ||||||||
| Score: 0 Posts: 177 User Since: 26th Nov 2008 System Score: N/A Location: Washington, DC, US Last edited on 2nd Dec, 2008 18:14 |
on 2nd Dec, 2008 17:53, jtrangsr wrote: What is/was vulnerable about 0.9.6 that 0.9.7 addresses? I think this one answers that: http://secunia.com/advisories/32942/ on 2nd Dec, 2008 17:53, jtrangsr wrote: This puts into question your assessment criteria for assigning an "insecure" status to a program. 1. If VPL media player 0.9.6 was really vulnerable, then it should have remained in the insecure status even though a fix is not yet available. Many times proof of concepts are published in order to force a manufacturer to come up with a solution. This happens quite often to a particular Redmond-based software company. 2. On the flip side, just because a new version is available, doesn't automatically make the previous version "insecure". They may have just fixed a compatibility issue or added more languages. I believe that the purpose of the psi is to detect if all relevant security patches have been applied or not. I don't think the psi will list if there is a vulnerability where the vendor hasn't published a patch (like in this case where the VLC player patch has been retracted). -- Big Dave |
||||||||
|
|||||||||
| DeiGratia | RE: Update to nonexistant version | ||||||||
|
|
2nd Dec, 2008 22:23 | ||||||||
| Score: 0 Posts: 1 User Since: 22nd Dec 2007 System Score: N/A Location: N/A |
When i saw thisshown asinsecure, I again checked the version it detected witht the version i do have installed and was amazed to see that it was so, yet i go to VLC siteonly to fined the very version I hadin (yesterday), soI usually do not fret when something isnot at the site they may have the version BUT NOT READY FOR PUBLIC RELEASE. means that the programmers liketolimitbugs andvunerables prior toletting out theirfinalwork. | ||||||||
|
|||||||||
