VLC media player 3.0.20 and earlier arbitratry code execution vulnerability

Hello, VLC got a security vulnerability.

The arch repo still has 30.0.20
https://archlinux.org/packages/extra/x86_64/vlc/

Something seems to happen at arch with 3.0.21
https://archlinux.org/packages/extra-staging/x86_64/vlc/

Can somebody please explain to me why this fixed version isn’t released for everyone by now? Debian and Fedora got that update a couple days ago. Would love to understand what am I missing here.

possibly - please see → Switching Branches - Manjaro

It doesn’t appear to be an imminent threat. There are no reports of exploitation just yet, and it appears to also be uncertain whether it could indeed lead to remote code execution. Furthermore, the attack vector can be mitigated for now by simply avoiding MMS streams. :point_down:

4 Likes