Ubuntu
mumble package

CVE-2014-3755 and CVE-2014-3756

Bug #1335597 reported by Felix Geyer on 2014-06-29

256

This bug affects 1 person

	Status	Importance	Assigned to
mumble (Debian)	Fix Released	Unknown	debbugs #748189
mumble (Ubuntu)	Fix Released	Undecided	Unassigned
Precise	Won't Fix	Undecided	Unassigned
Saucy	Won't Fix	Undecided	Unassigned
Trusty	Fix Released	Undecided	Unassigned
Utopic	Fix Released	Undecided	Unassigned

Bug Description

There are two mumble security advisories:
http://mumble.info/security/Mumble-SA-2014-005.txt
http://mumble.info/security/Mumble-SA-2014-006.txt

Related branches

lp:ubuntu/trusty-security/mumble

CVE References

Revision history for this message

Felix Geyer (debfx) wrote on 2014-06-29:

mumble_1.2.4-0.2ubuntu1.1.debdiff Edit (48.7 KiB, text/plain)

Attached is a debdiff for trusty.
The same changes should probably apply to saucy but I haven't tested it.

The patches are not easily adaptable to the version in precise.

Bug Watch Updater (bug-watch-updater) on 2014-06-29

Changed in mumble (Debian):
status:	Unknown → Fix Released

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2014-07-02:

ACK on the debdiff. Packages are building now and will be released today. Thanks!

Marc Deslauriers (mdeslaur) on 2014-07-02

Changed in mumble (Ubuntu Utopic):
status:	New → Fix Released
Changed in mumble (Ubuntu Precise):
status:	New → Confirmed
Changed in mumble (Ubuntu Saucy):
status:	New → Confirmed
Changed in mumble (Ubuntu Trusty):
status:	New → Confirmed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2014-07-02:

This bug was fixed in the package mumble - 1.2.4-0.2ubuntu1.1

---------------
mumble (1.2.4-0.2ubuntu1.1) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service through SVG images (LP: #1335597)
    - debian/patches/Mumble-SA-2014-005.patch: patch from upstream
    - CVE-2014-3755
  * SECURITY UPDATE: unproperly HTML-escaped external strings
    - debian/patches/Mumble-SA-2014-006.patch: patch from upstream
    - CVE-2014-3756
-- Felix Geyer <email address hidden> Sun, 29 Jun 2014 11:34:25 +0200

Changed in mumble (Ubuntu Trusty):
status:	Confirmed → Fix Released

Revision history for this message

Rolf Leggewie (r0lf) wrote on 2014-12-05:

saucy has seen the end of its life and is no longer receiving any updates. Marking the saucy task for this ticket as "Won't Fix".

Changed in mumble (Ubuntu Saucy):
status:	Confirmed → Won't Fix

Revision history for this message

Steve Langasek (vorlon) wrote on 2021-10-14:

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release

Changed in mumble (Ubuntu Precise):
status:	Confirmed → Won't Fix

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

mumble_1.2.4-0.2ubuntu1.1.debdiff Edit

Add patch

Remote bug watches

debbugs #748189
[done important fixed-upstream security upstream] Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntumumble package

CVE-2014-3755 and CVE-2014-3756

Bug Description

Related branches

CVE References

Other bug subscribers

Patches

Remote bug watches

Ubuntu
mumble package