Mumble 1.2.5

Posted on February 5, 2014 by mkrautz

The Mumble team has released version 1.2.5 of the Mumble VoIP application.

This new version contains two important client-side security fixes. We advise our users to download this update as soon as possible from our SourceForge downloads page: http://sourceforge.net/projects/mumble/files/Mumble/1.2.5/

This release contains no new features. For all practical purposes, it is a bug-fix release on top of 1.2.4.

For a list of known issues with this release, please see the 1.2.5 Known Issues wiki page: 1.2.5 Known Issues.

Security advisories for the two fixed vulnerabilities are available below:

Mumble-SA-2014-001 (txt, sig) (CVE-2014-0044)

– A malformed Opus voice packet sent to a Mumble client could trigger a NULL pointer dereference or an out-of-bounds array access.

Mumble-SA-2014-002 (txt, sig) (CVE-2014-0045)

– A malformed Opus voice packet sent to a Mumble client could trigger a heap-based buffer overflow.

If you are using Mumble on Linux or BSD, we recommend that you keep a close eye on your vendor’s security advisories to determine the availability of an update that fixes these vulnerabilities.

The Mumble team

[Update 2014-02-07: added a link to the Known Issues page]