Posted on May 14, 2014 by mkrautz
The Mumble team has released version 1.2.6 of the Mumble VoIP application.
This new version contains two client-side security fixes. We advise our users to download this update as soon as possible from our SourceForge downloads page: http://sourceforge.net/projects/mumble/files/Mumble/1.2.6/
This release contains no new features. For all practical purposes, it is a bug-fix release on top of 1.2.5.
The release contains new versions of both Mumble (client) and Murmur (server), but since the security fixes only apply to the client, you should be fine if you are still running 1.2.5 or even 1.2.4 Murmur server.
For a list of known issues with this release, please see the wiki page 1.2.6 Known Issues.
Security advisories for the fixed vulnerabilities are available below:
Mumble-SA-2014-005 (txt, sig) – SVG images with local file references could trigger client DoS
Mumble-SA-2014-006 (txt, sig) – The Mumble client did not properly HTML-escape some external strings before using them in a rich-text (HTML) context.
For our binary packages (Windows and OS X clients), this release also fixes Qt’s GIF decoder vulnerability: CVE-2014-0190 – The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.
If you are using Mumble on Linux or BSD, we recommend that you keep an eye on your vendor’s security advisories or package updates to determine the availability of an update that fixes these vulnerabilities.
And last but not least, we should mention that snapshot builds are also affected by these issues. So if you are running snapshots, we strongly recommend that you install any updates when your client prompts you.
The Mumble team