NOTE: This release and version documentation is no longer being updated. Please see our announcements on our blog or our GitHub releases.
Mumble 1.2.13 fixes a security-relevant bug in Murmur when running on Windows systems that allowed an unauthenticated user to cause Denial of Service on the server’s UDP connection.
We would like to thank LuaMilkshake for responsibly reporting this issue to the Mumble project.
This release of Mumble on Windows is also the first stable release in the 1.2-series that is only code-signed with a SHA256 authenticode signature and certificate. Previous releases were signed by both a SHA1 signature and certificate, as well as a SHA256 signature and certificate.
This new code-signing setup can cause issues with some versions of Windows that do not support SHA256 code-signing. If your Mumble installer on Windows does not seem to be Authenticode signed, it probably means that your version of Windows does not support SHA256 code-signing. In that case, we recommend that you ensure the integrity of your Mumble installer by verifying the detached GPG signature (mumble-1.2.13.msi.sig) against our "Mumble Automatic Build Infrastructure 2016" GPG key.
Issues fixed in this release include:
In previous versions of Mumble, it was possible to perform a Denial of Service attack on Murmur servers running on Windows. See Mumble-SA-2016-001 (sig) for more information.
For a full changelog, please see the diff between 1.2.12 and 1.2.13 on GitHub.
We recommend that all users of Murmur (the server component of Mumble) on Windows upgrade immediately.