Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Update to nonexistant version

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
VideoLAN
And, this specific program:
VLC media player 0.x

This thread has been marked as locked.
Chickenbone Update to nonexistant version
Member 2nd Dec, 2008 00:06
Ranking: 0
Posts: 1
User Since: 22nd Feb, 2008
System Score: N/A
Location: N/A
I have PSI 1.0.0.1 installed. It has detected VLC 0.9.6, which is correct. It wants me to upgrade to VLC 0.9.7, but this version does not exist for Windows. I don't want to ignore the software as future upgrades will come out, but this is rather annoying!

navysquid1 RE: Update to nonexistant version
Member 2nd Dec, 2008 03:13
Score: 0
Posts: 1
User Since: 26th Oct 2008
System Score: N/A
Location: N/A
Last edited on 2nd Dec, 2008 03:14
Per the Videolan site, the correct new version is 0.9.8, but it is not yet available in compiled form, so you have to get the source code and compile it manually. The interim advice is to avoid opening untrusted files (files from untrusted sources).
http://www.videolan.org/security/sa0811.html
The compiled version should be available withing the next few days.
I also noted that the download button in PSI is not working for this program.
Was this reply relevant?
+0
-0
jtrangsr RE: Update to nonexistant version
Member 2nd Dec, 2008 15:26
Score: 0
Posts: 2
User Since: 27th Feb 2008
System Score: N/A
Location: N/A
In searching around their site, I found there are tar files available for 0.9.7, but not any windows files.
Was this reply relevant?
+0
-0
E.Jeppesen RE: Update to nonexistant version
Secunia Official 2nd Dec, 2008 15:36
Score: 220
Posts: 618
User Since: 24th Nov 2008
System Score: N/A
Location: Copenhagen, DK
Last edited on 2nd Dec, 2008 15:38
Thank you for reporting this.

It appears that the guys from VLC have retracted the 0.9.7 version from their mirrors (it was available for download for a few hours yesterday).

We have temporarily adjusted our detection signatures until a permanent solution is available from the vendor.

We will naturally update our detection signatures as soon as the new version is re-released on their website.
jtrangsr RE: Update to nonexistant version
Member 2nd Dec, 2008 17:53
Score: 0
Posts: 2
User Since: 27th Feb 2008
System Score: N/A
Location: N/A
What is/was vulnerable about 0.9.6 that 0.9.7 addresses?

This puts into question your assessment criteria for assigning an "insecure" status to a program.

1. If VPL media player 0.9.6 was really vulnerable, then it should have remained in the insecure status even though a fix is not yet available. Many times proof of concepts are published in order to force a manufacturer to come up with a solution. This happens quite often to a particular Redmond-based software company.

2. On the flip side, just because a new version is available, doesn't automatically make the previous version "insecure". They may have just fixed a compatibility issue or added more languages.
Was this reply relevant?
+0
-0
BigDave_39 RE: Update to nonexistant version
Member 2nd Dec, 2008 18:11
Score: 0
Posts: 177
User Since: 26th Nov 2008
System Score: N/A
Location: Washington, DC, US
Last edited on 2nd Dec, 2008 18:14
on 2nd Dec, 2008 17:53, jtrangsr wrote:
What is/was vulnerable about 0.9.6 that 0.9.7 addresses?


I think this one answers that:
http://secunia.com/advisories/32942/

on 2nd Dec, 2008 17:53, jtrangsr wrote:
This puts into question your assessment criteria for assigning an "insecure" status to a program.

1. If VPL media player 0.9.6 was really vulnerable, then it should have remained in the insecure status even though a fix is not yet available. Many times proof of concepts are published in order to force a manufacturer to come up with a solution. This happens quite often to a particular Redmond-based software company.

2. On the flip side, just because a new version is available, doesn't automatically make the previous version "insecure". They may have just fixed a compatibility issue or added more languages.


I believe that the purpose of the psi is to detect if all relevant security patches have been applied or not. I don't think the psi will list if there is a vulnerability where the vendor hasn't published a patch (like in this case where the VLC player patch has been retracted).

--
Big Dave
Was this reply relevant?
+0
-0
DeiGratia RE: Update to nonexistant version
Member 2nd Dec, 2008 22:23
Score: 0
Posts: 1
User Since: 22nd Dec 2007
System Score: N/A
Location: N/A
When i saw thisshown asinsecure, I again checked the version it detected witht the version i do have installed and was amazed to see that it was so, yet i go to VLC siteonly to fined the very version I hadin (yesterday), soI usually do not fret when something isnot at the site they may have the version BUT NOT READY FOR PUBLIC RELEASE. means that the programmers liketolimitbugs andvunerables prior toletting out theirfinalwork.
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer