Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.2147 ffmpeg security update 29 August 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ffmpeg Publisher: Debian Operating System: Debian GNU/Linux 9 Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2017-11719 CVE-2017-11665 CVE-2017-11399 CVE-2017-9993 CVE-2017-9608 Original Bulletin: http://www.debian.org/security/2017/dsa-3957 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running ffmpeg check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-3957-1 security@debian.org https://www.debian.org/security/ Luciano Bello August 28, 2017 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : ffmpeg CVE ID : CVE-2017-9608 CVE-2017-9993 CVE-2017-11399 CVE-2017-11665 CVE-2017-11719 Several vulnerabilities have been discovered in FFmpeg, a multimedia player, server and encoder. These issues could lead to Denial-of-Service and, in some situation, the execution of arbitrary code. CVE-2017-9608 Yihan Lian of Qihoo 360 GearTeam discovered a NULL pointer access when parsing a crafted MOV file. CVE-2017-9993 Thierry Foucu discovered that it was possible to leak information from files and symlinks ending in common multimedia extensions, using the HTTP Live Streaming. CVE-2017-11399 Liu Bingchang of IIE discovered an integer overflow in the APE decoder that can be triggered by a crafted APE file. CVE-2017-11665 JunDong Xie of Ant-financial Light-Year Security Lab discovered that an attacker able to craft a RTMP stream can crash FFmpeg. CVE-2017-11719 Liu Bingchang of IIE discovered an out-of-bound access that can be triggered by a crafted DNxHD file. For the stable distribution (stretch), these problems have been fixed in version 7:3.2.7-1~deb9u1. We recommend that you upgrade your ffmpeg packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEayzFlnvRveqeWJspbsLe9o/+N3QFAlmkgDYACgkQbsLe9o/+ N3T8Uw//SjcX5ZPW2HpGoXQ0Ai9MG0iHDOntJ+9NSmqDc0byW4GMFyGNt6WJnvau dZvXzOSBRLk+I+WmdgeFy6DnroXA/VSoRMBhFXMKIfxJgNTTodIr6G06XACLBr2W 5Tl5F4+gjKzFHxfG1ypux6D1QSo88a8uiEoR+kDXSuoEH/yZ2irC/bX0rwtap7Fu /BrfsClsUFOAbDadN3XiOOiK3b4FRE+UfTEAaLMnMYrMJfX8CiC5ABi9tG7imZXr rlj7pSp2rlosgqSCZ+uCo6haqg9jamiBmzZbT1qSD+VjLFmGMvw/yuRN3wGSt5kQ nxuLVNghg7qGi660R5ci9TYpn5UyBprkeEVQLh3Ts3U8VpN169yFAD+Zln/2KGVw mYSjEjXiPg4IE2/Phfw8XIqaO1zTezAU/yTMd4XBl2n7j1swAMgdaDPfmIBMg74w +iQOWM7D4xY01sXwgjdo9wVpsZuWU6KiSp1A4Y0QeozU0/ZMwlHlQHLlIDWfYhr6 EfgwG3y+ZfyHDiJELU1yuXv6gPxSvfn+MgkNopqzUNbMOZytX705fWA4cwV2fIFF G4RwVsJfV2tA1Zf+wUvjighm54r8mpRExtyQdi79Il4cws+5ggeAX2cT5Te6mosI 3CR8dKBZmfpRgRmcKUTJLZmFaD0pm+g/HCpV0+bZ+Xx7RbF7NGI= =Y7WV - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWaSo64x+lLeg9Ub1AQjftxAAqD9fGsOkbQIsJ+9HSnQADKp7qK8mJwca xJum2X/sILVmj+UIUOqwkoLjXWQVTXD18H/pFQbQSVOHAclpkP+uU1YJ/eQ1JnEK M+tkX8acZIfNR50pyYjuQkoA0VNiVLcVfVR4B4OE8iK6GpaMc+A4f61ssbNoUJA2 uMGcNeiaF7l745a9z+/V1Ef/WcPpyf0JLRSq4wUslVVfNMGqZ0ChkZNd+uz5CVGL QwNdOebk188tXlpsyKEmszbnRSkr/OeVOUXO5Kiot00y3L7/motOOqMKlu4IHLgl UNxXQbwHPG575gtVBZnRQ5Ef8BaR3Tt/ZA4wP/0l///VL00D+9ciyYzyRx2Ew9XC a83EzOy/oIkCgi2D1D/2AC5hiMI2S+NYJnyns7/ClTDV4jGjHCvaacO3yM3S9nrP pOHil6sF4F0zdMdcof6Gmn/yLoEIbjkTE+n0yF2GIhB438eFp/MQLwzlrbewNVzF 7o3sFRpQOsD0YzgSHxTpIh3zruxioW6/A0I5TqeNW5G0v1n4p34bNe1ogE5bw5/H 7NHy6Bs1E3FpQCfIj3ye8mYO100YbtTznDwUr1E0ak87evIi+Pg+iUcV37v35yhP yS5Ge06ti3TIJIjVuGYl+LGJsz2WS7I4SGSiZPXW/7rH+AbOojusm22HBe5FNaDB rS8pDC3NRg8= =sjnp -----END PGP SIGNATURE-----