Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.0043.2 jasper security update 15 April 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: jasper Publisher: Debian Operating System: Debian GNU/Linux 8 Linux variants Windows OS X Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-20622 CVE-2018-20584 CVE-2018-20570 CVE-2018-19542 CVE-2018-19541 CVE-2018-19540 CVE-2018-19539 CVE-2018-19139 CVE-2018-18873 Original Bulletin: https://security-tracker.debian.org/tracker/DLA-1628-1 https://security-tracker.debian.org/tracker/DLA-1628-2 Comment: This bulletin contains two (2) Debian security advisories. This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running jasper check for an updated version of the software for their operating system. Revision History: April 15 2019: Vendor released a regression update January 3 2019: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : jasper Version : 1.900.1-debian1-2.4+deb8u5 CVE ID : CVE-2018-18873 CVE-2018-19139 CVE-2018-19539 CVE-2018-19540 CVE-2018-19541 CVE-2018-19542 CVE-2018-20570 CVE-2018-20584 CVE-2018-20622 Multiple issues were found in the JasPer JPEG-2000 library that could lead to a denial-of-service (application crash), memory leaks and potentially the execution of arbitrary code if a malformed image file is processed. For Debian 8 "Jessie", these problems have been fixed in version 1.900.1-debian1-2.4+deb8u5. We recommend that you upgrade your jasper packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlwtQcdfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeQHaw//XscscTqY1mWZYpCaZUaiUS0ue09aSAXyBqeQP+Sp9zi6srfu7Gx/Enxk FCdafUlNC2H49v8eJfnnSpTaQl2y0LuDKqONM6WufERV53RI30EGeMT76qAtL26z MprNL72RN1dG3AFwnujmKmutxjQUd/v5EWCCqgqibtX+PWF1GcJ8Kfh0j2C9rkN2 MNe+2wy7a9Z7oOBklBnb8uJ4TH67z/4P0gV0y/pAgQ677siGn7ZIAQ2CmBtwbd/4 Sr1ReDhQeVrVznEsnqYEsEQ57IyDFuMUScTkLcXloqOriF2ipjzDG+8FL3MKmUoI hnf8vGwTu5CoLC5PtxWH+0dKXStHGTW7MatGNjrqYuX+AMoSZ9Ab6xV4fqnMn86x aSgeM2rpUT8Umh8BMcXX5/n1OmV5gOcMo1x+9STvUZPMqgSO3i8wj37nYlUTF+9D J9dustesQInXXfDVXrkgzyURPuo9HPwKalVxs1ezhL0swIe2ZtCyY0zopUPnLPzx TDoKomAg+CDpdtJfTbIoGe9+9FETU/eTYr1FxewBbaQga6OiNb3jKcjuNC/864wm /+NtC7fOktZZiXBcmNLyEAlr0ml3ZRtdgQxs3HxWmOM379p6puSOnx6JJqfVRUpB LXeE3vltt95+aubx/sn+7p5Ja1vBhxE7PSYMb62v8tCe7ZhpjI8= =Fw8o - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : jasper Version : 1.900.1-debian1-2.4+deb8u6 The update of jasper issued as DLA-1628-1 caused a regression due to the fix for CVE-2018-19542, a NULL pointer dereference in the function jp2_decode, which could lead to a denial-of-service. In some cases not only invalid jp2 files but also valid jp2 files were rejected. For Debian 8 "Jessie", this problem has been fixed in version 1.900.1-debian1-2.4+deb8u6. We recommend that you upgrade your jasper packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlyyVYRfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeTSSg/8DeFZqhC5gjHoP/7eC20HBa0HUqhAVFvSnaq7Wb3auNioTf3YS7TVufod 1UMFZ+ykS2BMXLI/HEh7YjD/dzb2t3Ji6ONHRcoYjw5Gpg6INnT19jI8VoCyZRGr Mys+GorCntdDrC6ZV/sfwtKnPA+ALl08r32ADbQ49N/CspRaqtWQPFAJ9KYbzXo1 oUFKo4S3eOlcM3CB+AA4AgXIeO3nWxcR4i6qFXvRO8g+z68ZCcSKwm8iKc1MuRaD SCZPEn1jlbNOvAmR2DDW7QUoT0GjHhME1kAoaWo9pJ/o2hrB5KkkHhdCXwsPFQ8w p5LOr0YkYx7peVsyu6Aed2Y/uzO7SH3XJf6dP272G0HbBaa4ei7ImtFHMIBrvoVX SVB2FxNZO6jrg4M7DU64zg1+mg4ptf/cbVw3QCZe14wuNjuTYN5oMAVYiT5+b8/X 0MtZPQJyNxWd2lq+eXGSAx2n7iYGj1TW6FERjHwiUkNRD1ehtd2fKaCLlWAJ0eOA z73W5uNjP5ftFDiL9V/AUfpg2tRHJ11uS4Z5UIEkVETK5WYSbfTpmr0oFMY2WLUA PBBH1R8KTNozvomMe+c78BbDxMGoEYJlHMG3NJh4hSFgwzE2vGU+80Y/mSAK795/ ZIPlKyXiPTV+e1m7qacMYK+/5xg/KMdj8E2GRgfsrynSXRWOEHI= =Ozle - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXLPFtWaOgq3Tt24GAQjv7xAAoGw6RnEtoaO1Fej/tv+N0ZUxDZuenNSa KJ7kTMRNYNEj5rwIs+y3RLEzU55V3Q6IsN1sAtNQNqI7Ufg4rTwfSeHrsif0LhmJ 92Nw1y5rmNQnN4dIpvFp9OXBmUCK12gwga+sHT97yoBW3uL9TWdaIDt/VKlshOfR yC77utlov9dOz+dRWrkHhgRsgI62b6HmAf7y1gUWi62lyKNwigaDskQVydkss5cf b0VHuKy8Kfc8jXIcdZCEqdydS/dyxYwO9vF6Aeu5uM2LeqClsmOkHEcBeKz43IjD RF3ZhbR0QmwTeiBTZ/IIABjCQZbweYbIz3t8oDz3BviGlmqU+8c/PiU3GbcnrBML x4lC0NzPK+e6Jcazp21cgrNeDSopwfacRhoc7xjGaShL2d/UOiCHFJ24rgxDKZ2T saD6Jc4jDSsOz2hgrVetAUXiWSSzAoX2RKHHp4zn0JWq52mtUxkGXbGTL8qnMtWO bwNlno1S0tQj4yVW/p9tvAX1ATVoXzBZ7ULH/KlMru6ZVRaJgfvUEg+qhyAqYqVk GSFVQckIiCr5oNmlh+Io6aZrspMLk32Qak1zAHj7baZER0bRaJosl4LLeumBHDec qonup8ZAcT0aGhj1sur6Jtg1tF5wTFRzGOn8zFzB8HYxXxLB4byvNTa99OYt0kN8 fZtUZxheyd4= =h+C+ -----END PGP SIGNATURE-----