package/vlc: security bump version to 2.2.6

Fixes CVE-2017-8312: Heap out-of-bound read in ParseJSS in VideoLAN VLC due
to missing check of string length allows attackers to read heap
uninitialized data via a crafted subtitles file.

[Peter: add CVE info]
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit b2f2f92887)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/vlc/vlc.hash

@@ -1,6 +1,2 @@
-# From http://get.videolan.org/vlc/2.2.5.1/vlc-2.2.5.1.tar.xz.md5
-md5 7ab63964ffec4c92a54deb018f23318b vlc-2.2.5.1.tar.xz
-# From http://get.videolan.org/vlc/2.2.5.1/vlc-2.2.5.1.tar.xz.sha1
-sha1 042962dba68e1414aa563883b0172ee121cf9555 vlc-2.2.5.1.tar.xz
-# From http://get.videolan.org/vlc/2.2.5.1/vlc-2.2.5.1.tar.xz.sha256
-sha256 b28b8a28f578c0c6cb1ebed293aca2a3cd368906cf777d1ab599e2784ddda1cc vlc-2.2.5.1.tar.xz
+# From http://download.videolan.org/pub/videolan/vlc/2.2.6/vlc-2.2.6.tar.xz.sha256
+sha256 c403d3accd9a400eb2181c958f3e7bc5524fe5738425f4253d42883b425a42a8  vlc-2.2.6.tar.xz

package/vlc/vlc.mk

@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-VLC_VERSION = 2.2.5.1
+VLC_VERSION = 2.2.6
 VLC_SITE = http://get.videolan.org/vlc/$(VLC_VERSION)
 VLC_SOURCE = vlc-$(VLC_VERSION).tar.xz
 VLC_LICENSE = GPLv2+, LGPLv2.1+