Release Notes: Building with older ffmpeg versions was fixed. Broken playback of some H.264 files was fixed. A version check for the CACA library was added. Several other minor changes were made.
Release Notes: Several security fixes were made. This solves a heap overflow in Quicktime atom parsing, multiple buffer overflows, multiple integer overflows, unchecked or incompletely checked read function results, unchecked malloc using untrusted values, buffer indexing using untrusted or unchecked values, integer overflows in the ffmpeg audio decoder and the CDDA server, and a heap buffer overflow in the ffmpeg video decoder. A segfault on invalid track type in Matroska files is avoided. Several further bugfixes were made. H.264 and AAC streams are now supported within FLV.
Release Notes: Several security fixes have been made, such as for crashes with various corrupted media files, as reported in CVE-2008-3231. An exploitable ID3 heap buffer overflow has been fixed. Some checks for memory allocation failures have been added. A V4L segfault has been resolved. AMR audio and Snow video are now recognized. Xv deinterlacing image corruption on some chipsets has been solved. Crashes with MP3 files with metadata consisting only of separators have been fixed. An Xv port and type selection have been added. Content type detection for HTTP streams has been improved. Several DVB and V4L improvements and fixes have been made.
Release Notes: A buffer overflow in the NSF demuxer, possibly allowing remote attackers to cause a denial of service (crash) or execute arbitrary code, was fixed. This vulnerability was reported as CVE-2008-1878. More usage of calloc() was deployed to provide extra safety against possible integer overflows as found in CVE-2008-1482. The JACK output plugin was improved. The display of some MJPEG streams (YUVJ420P) was fixed.
Release Notes: An insufficient boundary check in the Speex audio decoder, as reported in CVE-2008-1686, was fixed. Two regressions in 184.108.40.206, breaking QuickTime container handling and the Matroska demuxer, were fixed. Various improvements were made to the Real codec. The PulseAudio driver was improved.
Release Notes: Several integer overflows were fixed in FLV, Qt, Real, WC3Movie, Matroska, and FILM demuxers. These overflows allowed remote attackers to trigger heap overflows and possibly execute arbitrary code (reported in CVE-2008-1482). Several other minor bugs were fixed.
Release Notes: An array indexing vulnerability in sdpplin_parse(), as reported in CVE-2008-0073, was fixed. Plugin version handling was improved. A breakage caused by an off-by-one in the FLAC security fix was solved. Support for 16-bit big-endian DTS audio was added. The frame snapshot API was improved. A long delay when closing stream on dual core systems was resolved.
Release Notes: A potential stack buffer overflow via crafted FLAC tags, as reported in CVE-2008-0486, was fixed. Detection of MP3 streams with ID3v2 tags was improved. A RealPlayer codec detection bug was fixed.
Release Notes: A buffer overflow which allows a remote attacker to execute arbitrary code or crash the client via a crafted ASF header, related to CVE-2006-1664, was fixed. The default V4L device paths were sanitized, and the V4L ALSA audio input device was made configurable. Streaming audio playback and a possible crash on DVB channel change were fixed. The recently broken support for subtitles with schemes was fixed. Several improvements and bugfixes were made for the Flash video demuxer. xine-config is now based on pkg-config.
Release Notes: This release fixes an RTSP header buffer overflow, as reported in CVE-2008-0225. Upgrading is strongly recommended. Furthermore, fixes were made for a read-past-end bug in the internal strtok_r() implementation, and for a bug which caused video playback display errors on PPC/Darwin.