ESB-2017.2538 - [UNIX/Linux][Debian] libxfont: Multiple vulnerabilities 2017-10-11

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2538
                         libxfont security update
                              11 October 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           libxfont
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
                   Debian GNU/Linux 9
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Denial of Service        -- Existing Account
                   Access Confidential Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-13722 CVE-2017-13720 

Original Bulletin: 
   http://www.debian.org/security/2017/dsa-3995

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running libxfont check for an updated version of the software for 
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3995-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 10, 2017                      https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : libxfont
CVE ID         : CVE-2017-13720 CVE-2017-13722

Two vulnerabilities were found in libXfont, the X11 font rasterisation
library, which could result in denial of service or memory disclosure.

For the oldstable distribution (jessie), these problems have been fixed
in version 1:1.5.1-1+deb8u1.

For the stable distribution (stretch), these problems have been fixed in
version 1:2.0.1-3+deb9u1.

We recommend that you upgrade your libxfont packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlndHYIACgkQEMKTtsN8
TjZ+UA//RHU5Pix6t6J5L06g97GJCgZ4aafve1mr3Xqsm4dFRhrBK+YZk92AYhvy
Uzw3OPQlAs+iEIHfQ4Z53wNB0I/18l8xriEtryqZm986vLEpdQiVuTMLAj9784Jq
C/2yUOB+p+orMR+Q/5MlmSXAmdiqVmP9+iV9PGQkp803Vn/PMcuvtD02oVvu5VMw
YUz9PKJv19rW4XYb3E1+SgNPgXqc09MfdUmG+kITFtGKpSQEKn+fTG58VH7yGMZw
SE8rqeyAQ068Z1nXU2hzneMSJgGwrfawQ6ZX9NWiQCn5r2eEuOJRwnOKeT4f4Bsb
NZbQvBh3IfJYeCBQJ/31KIQxqA/TDOGYI/iokpsABcbmQN6Pyy9UScLf6FoVmdLD
RaeF+s04GnWNMHJ7gbRSvfp7U5hlsW6aO8qLOGkNMY0aX6F1Jxm47u6jqHJJu58a
9FerNY3vEaZG2V0rteNAcjAtBbeOx1LwUDFH5rPmI5gGiDKWb0DgksxTEOKlZL0E
EIzwDqGS4GFYIY7CVbfEIMaZzc4oRzmalzCsclZWORiIQxRmDOK7hZIQH4FpdYK1
xY4McWNcbkV+/14OitWUnHq65KlkMTSBrUVX45eAw//28CeFySY+LWkv2rbekLuT
7I44gPtT/dR7yUxwvp5qwcgsA6MrYldNuv7OAeSpHpsuTnR2/i4=
=y1vG
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWd2E2ox+lLeg9Ub1AQi34w//WOMlljXpPQdFayIuioyiY4gRdZtn1gZy
d4+00jx/Qw9dIIbJ+PACnjQmBKf9jhuPaVVidCKkU6k7B+vP802djk993cmIcbio
poV6IHeR3w1p+8VXWjyXNpgqaskOVUZhqvQV4nhLnXMoPMOFHKhbDrQ6u8N1HEyX
gygRD+gFw/3MstMZPGsP1E5UZxjeiW38RiPeJJBPXwZtarltT5H8HfUN8ek7IWlA
MCpDRDfLCmCcUaEN1PEdJMZszVtMPlFK59KFZkMRbrxhcEHOVek1U8Rx1KWjLM1i
MqM5cWIfVKvBZ2oNu0X7zAtR3Chxcy9SU/yRZ4KDUGa14I2l8r1kzHfmEpyxuM47
vpkTbtIFx4/PHbl7HW29xsqjkjZITi+C6OaG2C7ILm+IZi+jxlv7odYsgLfG/Odn
+6P/Nv0nw6miyhozq1VzT3wLAKxnvJDbkTgIiKI3SG5dBSSz+QBIHANWrwcJw2zH
V7puwLbf4JVKIkT4SmJpMkhVYQ1xz8Ufy95J4baq8haASBFPEJCX5GMwYnbXkXf9
i2Xdnlja0zOMy3Zb04PMPHDnmQmbp4B6rS8zH58u3JlO8u6kTCAkl2dNi7veFzs9
M5JvyM8j1f+8/kxPzdewZj1U/63aa5rRgtoXVT+XyyKqQUIOiAqtXhKfq5RQThUD
ZFvLWQJ6A90=
=EKjy
-----END PGP SIGNATURE-----

« Back to bulletins