Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.0002 djvulibre security update 4 January 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: djvulibre Publisher: Debian Operating System: Debian GNU/Linux Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-32493 CVE-2021-32492 CVE-2021-32491 CVE-2021-32490 CVE-2021-3630 CVE-2021-3500 CVE-2019-18804 CVE-2019-15145 CVE-2019-15144 CVE-2019-15143 CVE-2019-15142 Reference: ESB-2021.2317 ESB-2021.2311 ESB-2021.2094 Original Bulletin: http://www.debian.org/security/2021/dsa-5032 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-5032-1 security@debian.org https://www.debian.org/security/ Florian Weimer December 28, 2021 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : djvulibre CVE ID : CVE-2019-15142 CVE-2019-15143 CVE-2019-15144 CVE-2019-15145 CVE-2019-18804 CVE-2021-3500 CVE-2021-3630 CVE-2021-32490 CVE-2021-32491 CVE-2021-32492 CVE-2021-32493 Debian Bug : 945114 988215 Several vulnerabilities were discovered in djvulibre, a library and set of tools to handle documents in the DjVu format. An attacker could crash document viewers and possibly execute arbitrary code through crafted DjVu files. For the oldstable distribution (buster), these problems have been fixed in version 3.5.27.1-10+deb10u1. For the stable distribution (bullseye), these problems have been fixed in version 3.5.28-2. We recommend that you upgrade your djvulibre packages. For the detailed security status of djvulibre please refer to its security tracker page at: https://security-tracker.debian.org/tracker/djvulibre Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEyNPZz/qecFY/MvpUv3v/BALVJL4FAmHLHAkACgkQv3v/BALV JL7isQf/QFbPrzZWxJfndKaaHDtLQBcY0n3yxq3Q+KUaa/HS8Ef+BnTLfY+jI6HE PLJBdUc+Qg7JG7wMIEiyrz55PsbcKnJS+n3rp2SUUcB/Uw3WwNA/8xRvloWdDHXk NLsr2CZsS5Eob1ppf6uDdCNIFLS2bR0ldjDqO0Tds3nF23hLiFMrkBXZ5mF8wgQt +JC4Ve+zw2h12ETRw+CiTXKLRBO9lywN8FKTLRNYScpm8+xTQ1Ysn4RhxoH4vBTT RaKBFCM+U29qVNupzoF8EiW9tNLvCbYZBaEdfgo8Exp/G+QDdOWR7SquRjCkEpjK szldbfGCiILYMxV/A16zeM2M2Vmzlg== =Ni2e - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYdOWm+NLKJtyKPYoAQhzNw/+NsExkBBYgn94738Qcg0Xeo4so3vD020y vLh2ak1Ga3GfFrvi8oy0yUMT0zlM/f94LAaZuQ6HQgrwhbHjhdTWXlA+nSktyba7 Qaw9HroqQi3Q52wxewOiocjTfrF7BBNBUgNY2FkLWaXFFy0jaTN8CUqPfQVysbSM OWBzZLgkMosGS7eZ7aKUlnbpFGHWpa841Gwrt9vqV+CQYouYA8BUa4h0PPMBe/r9 0TnLmTcFHhz2udffX+21eEVr1sbNB+ijXJZGNbaFIWwVaROhbxT5oDvX28ifRbUe A9LDlpEegnK9KT5/SWvB9gC1qa89ZulRYIyRO3h+8gqpNFwBIb32p+NsHAqx9GrY mF/zhnb0aUQlsbKrWYhEhYa0wRrEA2hIMDdyKjU8yF1keyX3G5xBUGnQxUz3ISnu Qr/a6EQUbbq7XNfzSxx0DVdDALzHWx1AWwtGEIAmQfrodiDer0NvxaM1uPPXsRWW 6TYIC2AKNGNZ3yGD53m7uYxvqu9b1noBHx62IQhEcYCrBWhRe6epr+Ae3+4u2N4F j3OD32KUb7HYCKJAUr7a6UhB+VM8QQNmxVChRhcbM8Os1Bnw20f3e+PMzKmT2f4y B2/3Wfy1wMD7BJZ4leA1xSTXZR4kGOHes8MMfTg8GALwNaxc5qVQrvzMMbBjyk6/ JGaqGTmnTT8= =wawd -----END PGP SIGNATURE-----