Security update for ffmpeg SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:0243-1 Final 1 1 2016-01-25T18:07:13Z current 2016-01-25T18:07:13Z 2016-01-25T18:07:13Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for ffmpeg This update to ffmpeg 2.8.5 fixes the following issues: * CVE-2016-1897: Cross-origin issue in URL processing (concat) - local file disclosure (boo#961937) * CVE-2016-1898: Cross-origin issue in URL processing (subfile) - local file disclosure (boo#961937) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2016-01/msg00034.html E-Mail link for openSUSE-SU-2016:0243-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.1 ffmpeg-2.8.5-12.1 ffmpeg-devel-2.8.5-12.1 libavcodec-devel-2.8.5-12.1 libavcodec56-2.8.5-12.1 libavcodec56-32bit-2.8.5-12.1 libavdevice-devel-2.8.5-12.1 libavdevice56-2.8.5-12.1 libavdevice56-32bit-2.8.5-12.1 libavfilter-devel-2.8.5-12.1 libavfilter5-2.8.5-12.1 libavfilter5-32bit-2.8.5-12.1 libavformat-devel-2.8.5-12.1 libavformat56-2.8.5-12.1 libavformat56-32bit-2.8.5-12.1 libavresample-devel-2.8.5-12.1 libavresample2-2.8.5-12.1 libavresample2-32bit-2.8.5-12.1 libavutil-devel-2.8.5-12.1 libavutil54-2.8.5-12.1 libavutil54-32bit-2.8.5-12.1 libpostproc-devel-2.8.5-12.1 libpostproc53-2.8.5-12.1 libpostproc53-32bit-2.8.5-12.1 libswresample-devel-2.8.5-12.1 libswresample1-2.8.5-12.1 libswresample1-32bit-2.8.5-12.1 libswscale-devel-2.8.5-12.1 libswscale3-2.8.5-12.1 libswscale3-32bit-2.8.5-12.1 ffmpeg-2.8.5-12.1 as a component of openSUSE Leap 42.1 ffmpeg-devel-2.8.5-12.1 as a component of openSUSE Leap 42.1 libavcodec-devel-2.8.5-12.1 as a component of openSUSE Leap 42.1 libavcodec56-2.8.5-12.1 as a component of openSUSE Leap 42.1 libavcodec56-32bit-2.8.5-12.1 as a component of openSUSE Leap 42.1 libavdevice-devel-2.8.5-12.1 as a component of openSUSE Leap 42.1 libavdevice56-2.8.5-12.1 as a component of openSUSE Leap 42.1 libavdevice56-32bit-2.8.5-12.1 as a component of openSUSE Leap 42.1 libavfilter-devel-2.8.5-12.1 as a component of openSUSE Leap 42.1 libavfilter5-2.8.5-12.1 as a component of openSUSE Leap 42.1 libavfilter5-32bit-2.8.5-12.1 as a component of openSUSE Leap 42.1 libavformat-devel-2.8.5-12.1 as a component of openSUSE Leap 42.1 libavformat56-2.8.5-12.1 as a component of openSUSE Leap 42.1 libavformat56-32bit-2.8.5-12.1 as a component of openSUSE Leap 42.1 libavresample-devel-2.8.5-12.1 as a component of openSUSE Leap 42.1 libavresample2-2.8.5-12.1 as a component of openSUSE Leap 42.1 libavresample2-32bit-2.8.5-12.1 as a component of openSUSE Leap 42.1 libavutil-devel-2.8.5-12.1 as a component of openSUSE Leap 42.1 libavutil54-2.8.5-12.1 as a component of openSUSE Leap 42.1 libavutil54-32bit-2.8.5-12.1 as a component of openSUSE Leap 42.1 libpostproc-devel-2.8.5-12.1 as a component of openSUSE Leap 42.1 libpostproc53-2.8.5-12.1 as a component of openSUSE Leap 42.1 libpostproc53-32bit-2.8.5-12.1 as a component of openSUSE Leap 42.1 libswresample-devel-2.8.5-12.1 as a component of openSUSE Leap 42.1 libswresample1-2.8.5-12.1 as a component of openSUSE Leap 42.1 libswresample1-32bit-2.8.5-12.1 as a component of openSUSE Leap 42.1 libswscale-devel-2.8.5-12.1 as a component of openSUSE Leap 42.1 libswscale3-2.8.5-12.1 as a component of openSUSE Leap 42.1 libswscale3-32bit-2.8.5-12.1 as a component of openSUSE Leap 42.1 FFmpeg 2.x allows remote attackers to conduct cross-origin attacks and read arbitrary files by using the concat protocol in an HTTP Live Streaming (HLS) M3U8 file, leading to an external HTTP request in which the URL string contains the first line of a local file. CVE-2016-1897 openSUSE Leap 42.1:ffmpeg-2.8.5-12.1 openSUSE Leap 42.1:ffmpeg-devel-2.8.5-12.1 openSUSE Leap 42.1:libavcodec-devel-2.8.5-12.1 openSUSE Leap 42.1:libavcodec56-2.8.5-12.1 openSUSE Leap 42.1:libavcodec56-32bit-2.8.5-12.1 openSUSE Leap 42.1:libavdevice-devel-2.8.5-12.1 openSUSE Leap 42.1:libavdevice56-2.8.5-12.1 openSUSE Leap 42.1:libavdevice56-32bit-2.8.5-12.1 openSUSE Leap 42.1:libavfilter-devel-2.8.5-12.1 openSUSE Leap 42.1:libavfilter5-2.8.5-12.1 openSUSE Leap 42.1:libavfilter5-32bit-2.8.5-12.1 openSUSE Leap 42.1:libavformat-devel-2.8.5-12.1 openSUSE Leap 42.1:libavformat56-2.8.5-12.1 openSUSE Leap 42.1:libavformat56-32bit-2.8.5-12.1 openSUSE Leap 42.1:libavresample-devel-2.8.5-12.1 openSUSE Leap 42.1:libavresample2-2.8.5-12.1 openSUSE Leap 42.1:libavresample2-32bit-2.8.5-12.1 openSUSE Leap 42.1:libavutil-devel-2.8.5-12.1 openSUSE Leap 42.1:libavutil54-2.8.5-12.1 openSUSE Leap 42.1:libavutil54-32bit-2.8.5-12.1 openSUSE Leap 42.1:libpostproc-devel-2.8.5-12.1 openSUSE Leap 42.1:libpostproc53-2.8.5-12.1 openSUSE Leap 42.1:libpostproc53-32bit-2.8.5-12.1 openSUSE Leap 42.1:libswresample-devel-2.8.5-12.1 openSUSE Leap 42.1:libswresample1-2.8.5-12.1 openSUSE Leap 42.1:libswresample1-32bit-2.8.5-12.1 openSUSE Leap 42.1:libswscale-devel-2.8.5-12.1 openSUSE Leap 42.1:libswscale3-2.8.5-12.1 openSUSE Leap 42.1:libswscale3-32bit-2.8.5-12.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-01/msg00034.html https://www.suse.com/security/cve/CVE-2016-1897.html CVE-2016-1897 https://bugzilla.suse.com/961937 SUSE Bug 961937 FFmpeg 2.x allows remote attackers to conduct cross-origin attacks and read arbitrary files by using the subfile protocol in an HTTP Live Streaming (HLS) M3U8 file, leading to an external HTTP request in which the URL string contains an arbitrary line of a local file. CVE-2016-1898 openSUSE Leap 42.1:ffmpeg-2.8.5-12.1 openSUSE Leap 42.1:ffmpeg-devel-2.8.5-12.1 openSUSE Leap 42.1:libavcodec-devel-2.8.5-12.1 openSUSE Leap 42.1:libavcodec56-2.8.5-12.1 openSUSE Leap 42.1:libavcodec56-32bit-2.8.5-12.1 openSUSE Leap 42.1:libavdevice-devel-2.8.5-12.1 openSUSE Leap 42.1:libavdevice56-2.8.5-12.1 openSUSE Leap 42.1:libavdevice56-32bit-2.8.5-12.1 openSUSE Leap 42.1:libavfilter-devel-2.8.5-12.1 openSUSE Leap 42.1:libavfilter5-2.8.5-12.1 openSUSE Leap 42.1:libavfilter5-32bit-2.8.5-12.1 openSUSE Leap 42.1:libavformat-devel-2.8.5-12.1 openSUSE Leap 42.1:libavformat56-2.8.5-12.1 openSUSE Leap 42.1:libavformat56-32bit-2.8.5-12.1 openSUSE Leap 42.1:libavresample-devel-2.8.5-12.1 openSUSE Leap 42.1:libavresample2-2.8.5-12.1 openSUSE Leap 42.1:libavresample2-32bit-2.8.5-12.1 openSUSE Leap 42.1:libavutil-devel-2.8.5-12.1 openSUSE Leap 42.1:libavutil54-2.8.5-12.1 openSUSE Leap 42.1:libavutil54-32bit-2.8.5-12.1 openSUSE Leap 42.1:libpostproc-devel-2.8.5-12.1 openSUSE Leap 42.1:libpostproc53-2.8.5-12.1 openSUSE Leap 42.1:libpostproc53-32bit-2.8.5-12.1 openSUSE Leap 42.1:libswresample-devel-2.8.5-12.1 openSUSE Leap 42.1:libswresample1-2.8.5-12.1 openSUSE Leap 42.1:libswresample1-32bit-2.8.5-12.1 openSUSE Leap 42.1:libswscale-devel-2.8.5-12.1 openSUSE Leap 42.1:libswscale3-2.8.5-12.1 openSUSE Leap 42.1:libswscale3-32bit-2.8.5-12.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-01/msg00034.html https://www.suse.com/security/cve/CVE-2016-1898.html CVE-2016-1898 https://bugzilla.suse.com/961937 SUSE Bug 961937