-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.0002
                         djvulibre security update
                              4 January 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           djvulibre
Publisher:         Debian
Operating System:  Debian GNU/Linux
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account      
                   Denial of Service               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-32493 CVE-2021-32492 CVE-2021-32491
                   CVE-2021-32490 CVE-2021-3630 CVE-2021-3500
                   CVE-2019-18804 CVE-2019-15145 CVE-2019-15144
                   CVE-2019-15143 CVE-2019-15142 

Reference:         ESB-2021.2317
                   ESB-2021.2311
                   ESB-2021.2094

Original Bulletin: 
   http://www.debian.org/security/2021/dsa-5032

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-5032-1                   security@debian.org
https://www.debian.org/security/                           Florian Weimer
December 28, 2021                     https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : djvulibre
CVE ID         : CVE-2019-15142 CVE-2019-15143 CVE-2019-15144 CVE-2019-15145 
                 CVE-2019-18804 CVE-2021-3500 CVE-2021-3630 CVE-2021-32490 
                 CVE-2021-32491 CVE-2021-32492 CVE-2021-32493
Debian Bug     : 945114 988215


Several vulnerabilities were discovered in djvulibre, a library and
set of tools to handle documents in the DjVu format. An attacker could
crash document viewers and possibly execute arbitrary code through
crafted DjVu files.

For the oldstable distribution (buster), these problems have been fixed
in version 3.5.27.1-10+deb10u1.

For the stable distribution (bullseye), these problems have been fixed in
version 3.5.28-2.

We recommend that you upgrade your djvulibre packages.

For the detailed security status of djvulibre please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/djvulibre

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEyNPZz/qecFY/MvpUv3v/BALVJL4FAmHLHAkACgkQv3v/BALV
JL7isQf/QFbPrzZWxJfndKaaHDtLQBcY0n3yxq3Q+KUaa/HS8Ef+BnTLfY+jI6HE
PLJBdUc+Qg7JG7wMIEiyrz55PsbcKnJS+n3rp2SUUcB/Uw3WwNA/8xRvloWdDHXk
NLsr2CZsS5Eob1ppf6uDdCNIFLS2bR0ldjDqO0Tds3nF23hLiFMrkBXZ5mF8wgQt
+JC4Ve+zw2h12ETRw+CiTXKLRBO9lywN8FKTLRNYScpm8+xTQ1Ysn4RhxoH4vBTT
RaKBFCM+U29qVNupzoF8EiW9tNLvCbYZBaEdfgo8Exp/G+QDdOWR7SquRjCkEpjK
szldbfGCiILYMxV/A16zeM2M2Vmzlg==
=Ni2e
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYdOWm+NLKJtyKPYoAQhzNw/+NsExkBBYgn94738Qcg0Xeo4so3vD020y
vLh2ak1Ga3GfFrvi8oy0yUMT0zlM/f94LAaZuQ6HQgrwhbHjhdTWXlA+nSktyba7
Qaw9HroqQi3Q52wxewOiocjTfrF7BBNBUgNY2FkLWaXFFy0jaTN8CUqPfQVysbSM
OWBzZLgkMosGS7eZ7aKUlnbpFGHWpa841Gwrt9vqV+CQYouYA8BUa4h0PPMBe/r9
0TnLmTcFHhz2udffX+21eEVr1sbNB+ijXJZGNbaFIWwVaROhbxT5oDvX28ifRbUe
A9LDlpEegnK9KT5/SWvB9gC1qa89ZulRYIyRO3h+8gqpNFwBIb32p+NsHAqx9GrY
mF/zhnb0aUQlsbKrWYhEhYa0wRrEA2hIMDdyKjU8yF1keyX3G5xBUGnQxUz3ISnu
Qr/a6EQUbbq7XNfzSxx0DVdDALzHWx1AWwtGEIAmQfrodiDer0NvxaM1uPPXsRWW
6TYIC2AKNGNZ3yGD53m7uYxvqu9b1noBHx62IQhEcYCrBWhRe6epr+Ae3+4u2N4F
j3OD32KUb7HYCKJAUr7a6UhB+VM8QQNmxVChRhcbM8Os1Bnw20f3e+PMzKmT2f4y
B2/3Wfy1wMD7BJZ4leA1xSTXZR4kGOHes8MMfTg8GALwNaxc5qVQrvzMMbBjyk6/
JGaqGTmnTT8=
=wawd
-----END PGP SIGNATURE-----