Yes, I was wondering about that as well. There is no new security advisory either (https://www.videolan.org/security/) but afaik they only publish advisories when there is a vulnerability in VLC itself, not when it is in a 3rd party library.
Thanks, I forgot about the security advisories! But as you say, not all security fixes are published in security advisories. For instance, the security fixes in 3.0.3 weren't published in a security advisory (3rd party libraries updated). And the security fixes in 2.2.8 and 2.2.7 weren't published in a security advisory, either (2.2.8: AVI demuxer; 2.2.7: flac and the libavcodec modules, in the avi module). On the other hand, I see that security advisory 1801 reported a vulnerability in 3.0.0 and 3.0.1 that was fixed in 3.0.2, which was not clearly mentioned in changelog or news archive.
I am not sure. The changelog for VLC media player 3.0.3 said "Numerous 3rd party libraries updated, fixing security issues". It was not specified whether the security issues were in 3.0.x only, or in VLC media player 2.2.8 as well. May 30, I concluded that with no further information available, I had to assume that VLC media player 3.0.3 should be considered as a security update to all previous versions. Whether using VLC media player 2.2.8 is a security risk, I cannot tell for sure, but I'd rather use the current version 3.0.4.
VLC media player v3.0.5 (December 26, 2018) Website Download: https://download.videolan.org/pub/videolan/vlc/3.0.5/ Changes: Spoiler: Changes Changes between 3.0.4 and 3.0.5: -------------------------------- Access: * Improve RTSP playback * BluRay fixes and improvements, notably for menus and seeking * Improve the UDP/RTP truncated issue Codec: * Add a new AV1 decoder based on dav1d library * Enable libaom decoder by default * Fix decoding of some HEVC streams with macOS hardware decoding Demux: * MP4: Fix reading of some HDR metadata * Miscellaneous AV1 demuxing improvements * Fix CAF integer-underflow * Fix an MKV crash on iOS 12.0, on iPhone XS phones Packetizer: * Add an AV1 packetizer macOS: * Starting with VLC 3.0.5, VLC will be distributed with runtime hardening enabled on macOS Mojave. All external VLC plugins need to be signed by a DeveloperID certificate in order to continue working with the official VLC package. * Update the VLC dark UI to better match the dark mode of macOS Mojave * Fix convert & save panel stream option Audio output: * Fix corking when the playback state is paused * Improve corking on Android Video Output: * Fix Direct3D11 tone-mapping when HDR is displayed on an SDR screen * More accurate colors for SD sources in Direct3D11 * Disable hardware decoding on some old Intel GPUs * Fix zero-copy GPU acceleration on AMD RX Vega * Misc Direct3D11 fixes Miscellaneaous: * Improve ChromeCast * Update numerous 3rd party libraries, including for minor security issues * Update Youtube support * Fix subtitles rendering with specific fonts with negative horizontal advance
Thanks, mood. VLC media player 3.0.5 looks to be a (minor) security update, because of "Miscellaneaous: Update numerous 3rd party libraries, including for minor security issues".
The news archive has finally been updated with the 3.0.4 release, which points to here: https://www.videolan.org/vlc/releases/3.0.4.html So we can finally conclude that 3.0.4 did fix security issues. Also in the changelog, for macOS. "* Starting with VLC 3.0.5, VLC will be distributed with runtime hardening enabled on macOS Mojave." Not a vulnerability fix, but it improves security, so I thought it was worth mentioning.
VLC media player v3.0.6 (January 10, 2019) Website Download: https://download.videolan.org/pub/videolan/vlc/3.0.6/ Changes:
VLC hits three billion downloads, announces support for AirPlay and more January 11, 2019 https://www.neowin.net/news/vlc-hits-three-billion-downloads-announces-support-for-airplay-and-more
FYI. VLC Media Player Portable 3.0.6 (audio and video player) Released for the PA Platform, courtesy of PortableApps.com.
Thanks @JRViejo-VLC is pretty much one of only two that's been reliable on this end and that says something for portable players since commercial players almost always want to insert feelers spread all around a PC system and some even add an extra running process or two that demands additional energy/resources to run.
VLC app is available to Huawei users again as VideoLAN quietly lifts block April 16, 2019 https://www.neowin.net/news/vlc-app...i-users-again-as-videolan-quietly-lifts-block
VLC Media Player 3.0.7 released: security updates and improvements June 06, 2019 https://www.ghacks.net/2019/06/06/vlc-media-player-3-0-7-released-security-updates-and-improvements/ ------------- Changes between 3.0.6 and 3.0.7: http://www.videolan.org/developers/vlc-branch/NEWS Spoiler: Changes between 3.0.6 and 3.0.7 Changes between 3.0.6 and 3.0.7: -------------------------------- Access: * Improve Blu-ray support * Fix sftp module build with libssh >= 1.8.1 Audio output: * Fix pass-through on Android-23 * Fix DirectSound drain Demux: * Improve MP4 support Video Output: * Fix 12 bits sources playback with Direct3D11 * Fix crash on iOS * Fix midstream aspect-ratio changes when Windows hardware decoding is on * Fix HLG display with Direct3D11 Stream Output: * Improve Chromecast support with new ChromeCast apps macOS: * Fix UPNP service discovery, services are discovered on the highest priority active network interface now * Fix video distortion on macOS Mojave Misc: * Update Youtube, Dailymotion, Vimeo, Soundcloud scripts * Work around busy looping when playing an invalid item with loop enabled Translations: * Update of most translations Security: * Fix multiple buffer overflows in the ps demuxer * Fix a buffer overflow when copying a biplanar YUV image * Fix multiple buffer overflows in the faad decoder * Fix buffer overflow in the svcdsub decoder * Fix buffer overflows in the ogg muxer & demuxer * Fix buffer overflows in libavformat demuxer * Fix multiple buffer overflows in the MKV demuxer * Fix a buffer overflow in the MP4 demuxer * Fix a buffer overflow in the textst decoder * Fix a buffer overflow in the webvtt decoder * Fix a buffer overflow in the ASF demux * Fix a buffer overflow in the UPNP SD * Fix use after free in the ogg demuxer * Fix multiple use after free in the MKV demuxer * Fix multiple use after free in the DMO decoder * Fix integer underflow in the MKV demuxer * Fix an updater NULL pointer dereference on invalid signing keys * Fix NULL pointer dereference in the MKV demuxer * Fix an integer overflow in the spudec decoder * Fix an integer overflow in the nsc demuxer * Fix an integer overflow in the avi demuxer * Fix reads of uninitialized pointers in the MKV demuxer * Fix a floating point exception in the MKV demuxer * Fix an infinite loop in the flac packetizer Edit: www.videolan.org/vlc/download-windows.html http://www.videolan.org/
VLC Player Gets Patched for Two High-Severity Bugs https://threatpost.com/vlc-player-gets-patched-for-two-high-severity-bugs/
VLC media player v3.0.7.1 Released (June 11, 2019) Website Changes: Spoiler: Changes v3.0.7.1 Changes between 3.0.7 and 3.0.7.1: ---------------------------------- Access: * Update libbluray to 1.1.2 macOS: * Fix bluray java menu playback regression in 3.0.7 Video Output: * Fix hardware acceleration with some AMD drivers * Improve direct3d11 HDR support
FYI. VLC Media Player Portable 3.0.7.1 (audio and video player) Released for the PA Platform, courtesy of PortableApps.com.
As usual, thanks again JRViejo. Reassuring they continue to develop and improve this video media player.
VLC v3.0.7.1 German cybersecurity agency identifies critical flaw in VLC Media Player July 19, 2019 https://www.neowin.net/news/german-cybersecurity-agency-identifies-critical-flaw-in-vlc-media-player
'Critical' vulnerability discovered in VLC on Linux and Windows -- but VideoLAN says it is not reproducible July 24, 2019 https://betanews.com/2019/07/24/vlc-critical-bug-denial/