Mumble 1.2.5
Posted on February 5, 2014 by mkrautz
The Mumble team has released version 1.2.5 of the Mumble VoIP application.
This new version contains two important client-side security fixes. We advise our users to download this update as soon as possible from our SourceForge downloads page: http://sourceforge.net/projects/mumble/files/Mumble/1.2.5/
This release contains no new features. For all practical purposes, it is a bug-fix release on top of 1.2.4.
For a list of known issues with this release, please see the 1.2.5 Known Issues wiki page: 1.2.5 Known Issues.
Security advisories for the two fixed vulnerabilities are available below:
Mumble-SA-2014-001 (txt, sig) (CVE-2014-0044)
– A malformed Opus voice packet sent to a Mumble client could trigger a NULL pointer dereference or an out-of-bounds array access.
Mumble-SA-2014-002 (txt, sig) (CVE-2014-0045)
– A malformed Opus voice packet sent to a Mumble client could trigger a heap-based buffer overflow.
If you are using Mumble on Linux or BSD, we recommend that you keep a close eye on your vendor’s security advisories to determine the availability of an update that fixes these vulnerabilities.
The Mumble team
[Update 2014-02-07: added a link to the Known Issues page]