February 10th, 2009
· Build fixes related to ImageMagick 6.4 & later.
· Fix an error in Matroska PTS calculation.
· Some front ends hang due to the hang fixes in 1.1.16. Fix this by removing a break statement.
· Fix broken size checks in various input plugins (ref. CVE-2008-5239).
· More malloc checking (ref. CVE-2008-5240).
· Fix race conditions in gapless_switch (ref. kde bug #180339)
· Fix a possible integer overflow in the 4XM demuxer. (TKADV2009-004.txt)
January 12th, 2009
· Fix build with older ffmpeg, both internal and in Debian 5.0.
· Add version check for CACA library and disable CACA plugin if needed.
· Fix playback of some H.264 files (broken in 1.1.16).
· Various other build & bug fixes.
· Some FAQ list updates.
January 7th, 2009Security fixes:
· Heap overflow in Quicktime atom parsing. (CVE-2008-5234 vector 1)
· Multiple buffer overflows. (CVE-2008-5236)
· Multiple integer overflows. (CVE-2008-5237)
· Unchecked read function results. (CVE-2008-5239)
· Unchecked malloc using untrusted values. (CVE-2008-5240 vectors 3 & 4)
· Buffer indexing using an untrusted value. (CVE-2008-5243)
· Integer overflows in the ffmpeg audio decoder and the CDDA server.
· Heap buffer overflow in the ffmpeg video decoder.
· Fix reported compilation failures (with C++ programs).
· Fix CDDB access in 64-bit builds.
· Fix seeking FLV clips that don't specify the movie length in the headers.
· Support H.264 and AAC streams within FLV.
· Fix timing issues (broken audio) on mingw.
· Add ID3 tag TDRC to replace/complement the deprecated tag TYER.
· Add a new meta-tag, "Composer", and use it in the FLAC demuxer.
· Correct AAC channel ordering for multi-channel audio, at least for FLAC when using ALSA or PulseAudio. (Needs a proper fix.)
· Add position-based seeking independent from seekpoints.
· Fix some XCB Xv attribute configuration breakage.
· Add a configuration option for Xv bicubic filtering, implemented in xf86-video-ati 6.9.1.
· Recognise Xv "blitter" adaptors for port selection purposes. NOTE: you will need to remove ~/.xine/catalog.cache when upgrading from xine-lib 1.1.15 or older if you wish to use this extra option.
· Fix MMS media requests where the URI contains %-encoded characters.
· Fix two hangs related to stopping playback of broken audio streams where no audio data is sent to the output thread.
· Fix WAV demuxer to send the last frames when they don't fit perfectly into the buffer