Mumble Open Source, Low Latency, High Quality Voice Chat

Mumble 1.2.5

Posted on February 2, 2014 by mkrautz

The Mumble team has released version 1.2.5 of the Mumble VoIP application.

This new version contains two important client-side security fixes. We advise our users to download this update as soon as possible from our SourceForge downloads page: http://sourceforge.net/projects/mumble/files/Mumble/1.2.5/

This release contains no new features. For all practical purposes, it is a bug-fix release on top of 1.2.4.

For a list of known issues with this release, please see the 1.2.5 Known Issues wiki page: 1.2.5 Known Issues.

Security advisories for the two fixed vulnerabilities are available below:

Mumble-SA-2014-001 (txt, sig) (CVE-2014-0044)

– A malformed Opus voice packet sent to a Mumble client could trigger a NULL pointer dereference or an out-of-bounds array access.

Mumble-SA-2014-002 (txt, sig) (CVE-2014-0045)

– A malformed Opus voice packet sent to a Mumble client could trigger a heap-based buffer overflow.

If you are using Mumble on Linux or BSD, we recommend that you keep a close eye on your vendor’s security advisories to determine the availability of an update that fixes these vulnerabilities.

The Mumble team

[Update 2014-02-07: added a link to the Known Issues page]