Operating System:

[Debian]

Published:

27 November 2019

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.4494
                          libvpx security update
                             27 November 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           libvpx
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-9433 CVE-2019-9232 

Reference:         ASB-2019.0248

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2019/11/msg00030.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : libvpx
Version        : 1.3.0-3+deb8u2
CVE ID         : CVE-2019-9232 CVE-2019-9433


Several issues have been found in libvpx, a VP8 and VP9 video codec.

CVE-2019-9232

  There is a possible out of bounds read due to a missing bounds check.
  This could lead to remote information disclosure with no additional
  execution privileges needed. User interaction is not needed for
  exploitation.

CVE-2019-9433

  There is a possible information disclosure due to improper input
  validation. This could lead to remote information disclosure with
  no additional execution privileges needed. User interaction is
  needed for exploitation.

For Debian 8 "Jessie", these problems have been fixed in version
1.3.0-3+deb8u2.

We recommend that you upgrade your libvpx packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEmjwHvQbeL0FugTpdYS7xYT4FD1QFAl3dnyUACgkQYS7xYT4F
D1SMyQ//ST+X3vR9XI0cGjCUfUDFzDWVeQAUQoxbPk9qi8IqkVsUnvWNZ7nQOydT
5XM8noomSGds29HGdK9L3XtEpEJuANXo1FW8vbgqw3cWnjwpZxLVkmk/U1+UImDw
SNZ4BjHi2WitSBwbS6F3ug1PdgCG8hbv8MQhzDZlWBdpuR/6PRqVRVD50mIc3vEM
qFRxrWtH0RKTzdRcrXP7ZkDlhsL6XqGrdy/npLAeUKQZUEIEiqc7ZbmLx1/naASI
VPiifmDrsCxjVHbc3WQbZpUo17PhsMZiiPU3a5yiGtFrTV3Zb75J/B1i1mrlyja/
BZZPzbMcGKymp+dMDyTMaLRJuoHf9thBHhduZBXHXZDf6FhCXLXBn/GygOWFpCOY
CnjkgzVd+bgZGFFl8QZjKgXVGcLKGKSbyGfIGmfgtVX5kbQKWXPpasRj6j7NTo/u
wNjLMimDM/lcEVeUjN7TqmLrNOPGAcuAE2gUudxcmgaRGr9ayFPGWR+mC6AJnzY+
+CO4uDj511URoboZJhhzlwPoBJFmI/Q1ZLGPWa5lwhxohMXRqml3wxUv5wApywsE
JgkiIrwYjuu4lp/K1Q/wQm5WB+QVvC8kwUq7yh/2P+jG0q/N3Ey9PgiQVHnmzYvh
TkEyXz0Nhy82+gyOaB1wV/pzj+xp224z1KgdHxB8Sw4jeVxEaoo=
=jp6V
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXd4GT2aOgq3Tt24GAQieJA//duvCkuJmEThOe5/KHrI5DzORae2PviQ6
Fl5kTubYEWYI0hQNyz/Ek0aKrv8gb96i47fMfxsRL0wcoLK06XPSn8A91a7EcHug
3DHdf//bif01uJk5zgcwiDyJ8wNYhv7yt9DITvZDoMb7e8X1XAGMMeyli77S8p2D
G4rOBFlYE7uew6i9bizOLGRZvgRVDd9oczNX2K2aU8Ro75sWiScvYnoltlvQd6GM
jegs1kyxxYn4P26YcmeKWE7h77wyWCxsHWGKs/Z2b0WoI2V0vHCqkKqkX3AihJn0
gQBgoLmo7+r6rbrlkDXuVuVt63QZGKwlUoBm7c09upVgjCv/CBt8nh6Zd25/g/KN
WX8vuW1IJ298GmRByFF0SOX/iKjKBGcyoJpN6X1P4t2IzpLIA7v7lZZG7EThgLNC
XyLa8SPnOB87DFxNXgYhTtgm24pGosB7hh40tkVTNDOfGqCUXLvP20MKS7Gxy2kI
4O9/CXYCL71z+W0rLxWPGWiT/1GLU13leDc7JEKnzHt3DE1ZMH4LYuZAXXVtxmzE
jyDE019PUgd0NxEnlLcyFZ7YolEX9zXm4DLvXZyByVwXwo7KrhT2hc4bFIp+G8Yd
RURuoM5V0DIaaIfzf9N30uGc+le00kz3wmDMPkWV3Ko8L01+AzgpQcrqQ5v+Cdph
yZ//QwlX+s0=
=ivBS
-----END PGP SIGNATURE-----