FFmpeg 2.8.5 Is Out, Patches the Vulnerability That Lets Attackers Steal Files Remotely

[Batu69]

All users are urged to upgrade to FFmpeg 2.8.5

FFmpeg 2.8.5 released

Just a few minutes ago, the development team behind the well-known, cross-platform and open source FFmpeg multimedia backend have announced the release of FFmpeg 2.8.5, which is now available for download for all supported operating systems, including GNU/Linux, Mac OS X and Microsoft Windows.

The release notes of FFmpeg 2.8.5 are the same as for any other maintenance version from the FFmpeg 2.8 "Feynman" series. Nothing is specified about the zero-day vulnerability that we reported a couple of days ago, which could have allowed an attacker to steal files from remote machines.

The FFmpeg devs noted that version 2.8.5 is now that latest stable FFmpeg release from the 2.8 release branch, bringing updates to various core components, including ffmpeg-mt, libav 11, and libav master, and that several other libraries have been upgraded to their latest versions at the moment of the announcement.

"2.8.5 was released on 2016-01-15. It is the latest stable FFmpeg release from the 2.8 release branch, which was cut from master on 2015-09-05. Amongst lots of other changes, it includes all changes from ffmpeg-mt, libav master of 2015-08-28, libav 11 as of 2015-08-28," reads today's announcement.

Among the core libraries that have been updated in FFmpeg 2.8.5, we can mention libavutil 54.31.100, libavcodec 56.60.100, libavformat 56.40.101, libavdevice 56.4.100, libavfilter 5.40.101, libavresample 2.1.0, libswscale 3.1.101, libswresample 1.2.101, and libpostproc 53. 3.100.

As expected, you are urged to update to FFmpeg 2.8.5 as soon as possible to fix the critical security issue mentioned in the second paragraph above. Of course, we always recommend our readers to run the latest stable version of a software to avoid system issues and crashes.

Download FFmpeg 2.8.5

Article source

[steven36]

Its not not that simple  as to update to FFmpeg 2.8.5 . 100s  of apps contain the vulnerable versions of  FFmpeg its sort of like when heartbleed bug broke out with open ssl you will have to wait on the developers to update there programs with the new version of FFmpeg

 

List of apps with FFmpeg

https://trac.ffmpeg.org/wiki/Projects

 

there's even some more not on the list even .

[Pequi]

FFmpeg is the mothership of media converters. Used by most gui frontends, can also be used on the command line.

 

Windows versions here:

http://ffmpeg.zeranoe.com/builds/

 

Download the latest static version.

I use it to correct badly encoded videos that torrent themselves onto my PC(I hate it when hackers do that to me), to extract audio files from videos, to increase volume on some movies that are too quiet, to convert flac to high quality MP3, to extract serial photos from movies, make movies much smaller, etc. One day I'll write a tut.

Just download the package, extract the contents of the /bin folder somewhere on your path, and browse through the included help file.

 

Latest:

http://ffmpeg.zeranoe.com/builds/win32/static/ffmpeg-2.8.5-win32-static.7z

 

A tiny example. Convert a folder of flacs to MP3 for your MP3 player:

 

for %a in ("*.flac") do ffmpeg -i "%a" -c:a libmp3lame -q 0 "%~na.mp3"

 

HTH

 

[straycat19]

6 hours ago, steven36 said:

Its not not that simple  as to update to FFmpeg 2.8.5 . 100s  of apps contain the vulnerable versions of  FFmpeg its sort of like when heartbleed bug broke out with open ssl you will have to wait on the developers to update there programs with the new version of FFmpeg

 

List of apps with FFmpeg

https://trac.ffmpeg.org/wiki/Projects

 

there's even some more not on the list even .

 

For what ii's worth, I searched my drives for the ffmpeg.exe file and found a number of programs that have this file in their directory so I just replaced the exe with the new one and tested some of the programs and they work normally.  That alleviates some of the vulnerability.