Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1666 fribidi security update 19 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: fribidi Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2022-25310 CVE-2022-25309 CVE-2022-25308 Original Bulletin: https://www.debian.org/lts/security/2022/dla-2974 Comment: CVSS (Max): 7.0 CVE-2022-25308 (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2974-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Thorsten Alteholz April 10, 2022 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : fribidi Version : 0.19.7-1+deb9u2 CVE ID : CVE-2022-25308 CVE-2022-25309 CVE-2022-25310 Several issues have been found in fribidi, a free Implementation of the Unicode BiDi algorithm. The issues are related to stack-buffer-overflow, heap-buffer-overflow, and a SEGV. CVE-2022-25308 stack-buffer-overflow issue in main() CVE-2022-25309 heap-buffer-overflow issue in fribidi_cap_rtl_to_unicode() CVE-2022-25310 SEGV issue in fribidi_remove_bidi_marks() For Debian 9 stretch, these problems have been fixed in version 0.19.7-1+deb9u2. We recommend that you upgrade your fribidi packages. For the detailed security status of fribidi please refer to its security tracker page at: https://security-tracker.debian.org/tracker/fribidi Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmJYTGVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEd79Q/8DYl02kz57vsUm7vlBtsvZEZoQSo/jBIMmnqrTjyuDVhbrI5AOuHOi1J1 IwxtcZX5sVGku4a1vBkCKm3mzUKgFQ0v9T0jB20UMDlz+JqaB5+8+US3Vw1tHHSd /eHfmMzTrQ3aZdDripFhI6Z1rbV/F65TAgNv2NfLXPmhof+rU9+bLX0KfxPlbvyC sjIYxlois30Pm/TgGZXGSlH58ObjLMySPnw06DkG6UbDFp0kVQcdRJXw/pdzWe7r pMMJT99L7mz7p+OQcMqMeKqg+YSdoV3Y08h9TwmpEXKShU66KgDyZcC+VdmLU0+W 0qNZr4F269TdaIrZzXTjZM6fUerZvmHikoskt4aj0IFLoSrmf4suEw3LfJ1r4sdZ 2WgsnQ9M6uQRHgNfBN4WucIjRNEs7uY9MwfWU2HBYuTlAEc/nja+Z2Pr9MRDJrRD oAMc+g/mBS9y6VC0HeHLkksV/8U4Vd//gnYw9MaJ0NyiJi+1cs/wAvzCl+fFS5XT dK5tJnvE682eeTQuSCBZ9vPoNdHWK2QfZfuh1SkEtag/pmRhzyjurCDYmvSNu2BE RGNbMVKyIlz59avBXF1VnfY6ePjuoMZcwn0T2V3uIxjcGlcmbUUZ+RUvBZRh6uQp mT3lx+7f/3JU5DgCAUddNekhuYeb0qNvWCH5vgGVSxtMEQhqHNw= =x/SH - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYl4qLuNLKJtyKPYoAQgXzw/+OPq+QJCY83QuUY/6yqbYqE2Ohk/t5ni8 tew84Fnen0vkk8XcRsjBl5hmnRauMFHCLJuBUXAlEmk3EQ0RRN5RW6rYjAwPGhH1 +7Yw5x+HGA0IbVIVaO1HTd02NvBY8Zw3AGEmyOqRR/8+BbEvCUOi03zCMbjc6r81 qAM05KafqPN4Ds3Ufe6MDRH3YkAO7XAgd3WNq3gJOtmNlK0ohWBZnhvx5RJ6Q767 XeFMkCHWcZqph3vrzRoRh+j/ztqISfMOI7AT3DCbS/eq9AbttgJi4+d+jpINQqIN PU4K566/1iUSHDrNAxvOqM3Owc354Noyzaxwr2BooT8RE4LcCUbHtij1AtOlGsUc V/9kLMpWrPicipewlYsz4YisGR9bd2Y4P7M4E4hN6kAzzn9DHo+7cQBi4KE3aPDe wlw/yG4Ll0HxXTfMuqs8ExMDElA+8eqYyrP7svwFmCmNbSmShpuoktk+fd+w9eyS 15ST4GQJGxpkrzGPY8ZzIR9NfKvfB1g+eHao02GgwzYcUSnKphUQQ8cgWKq1sPDv D42jsWPnW5/W/kXBcMjlcufeoPPSE/0oCv3WjW5UmT+BIxVUBvJ5Lexvbh5jyYM9 hfVzkKFChMg/3Y5tV1W784fKIT94ITK0BoMybaP82UCFAiNIERfCOwMP0ZZrUC3o KVlKMG+RfoM= =f0tz -----END PGP SIGNATURE-----