The VideoLAN Forums

I am running VLC 3.0.11 Vetinari on Windows 10 Enterprise.
I was prompted by VLC to update to 3.0.12 with the following text: "VideoLAN and the VLC development team present VLC 3.0.12 "Vetinari".
VLC 3.0.12 is a small update to VLC 3.0 branch, improving support for Blu-Rays, RIST, DASH, WMV and Youtube, fixing some graphic drivers bugs and some security issues."

After clicking "Yes" I am presented with the following warning. Clearly any users receiving this warning should not proceed. Is this a VLC codebase supply chain attack?

1st attempt:
You attempted to reach softlibre.unizar.es. However, the security certificate presented by the server is unknown and could not be authenticated by any trusted Certificate Authority.
The problem may stem from an attempt to breach your security, compromise your privacy, or a configuration error.
If in doubt, abort now.

2nd attempt:
You attempted to reach ftp.fau.de. However, the security certificate presented by the server is unknown and could not be authenticated by any trusted Certificate Authority.
The problem may stem from an attempt to breach your security, compromise your privacy, or a configuration error.
If in doubt, abort now.

Subsequent update attempts display different sites names, all with the same warning.

I am unclear as to why my post was moved to "Contribute and help the VideoLAN project" without any comments. It would be good to understand why this security warning is being experienced.

Moved to the "Forum and Website" section as it might be linked to some web redirection.
I have no idea about what is going on there, let's hope someone in charge will react and inform us soon.

I reported this to VLC's published security email address (https://www.videolan.org/security/) on 2021-1-25 at 22:16 UTC+2. I have not had a response as yet.

VLC updates are mirrored over 3rd party servers.
They can have bogus or untrusted certificates.
VLC is designed to update over insecure channel.
Update signature is checked after download.
That's not a problem.

@InTheWings, I agree that update servers may have bogus or untrusted certificates. That is why VLC validates the certificates before doing the download and why one should NOT accept a download from a site with a bad certificate. This is why I ask what is causing so many (every, in my case) update sites to report a problematic certificate. Either all the sites that my client is contacting are malicious, or all the sites have expired certs, or my client has code in it that is forcing it to update from non-VLC-approved sites. I can't tell which is the case.
Hence VLC Security should respond after investigating. I have notified them via email too.