-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.4517
                          libvpx security update
                             29 November 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           libvpx
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
                   Debian GNU/Linux 10
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Access Confidential Data        -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-9433 CVE-2019-9371 CVE-2019-9325
                   CVE-2019-9232  

Reference:         ASB-2019.0248
                   ESB-2019.4494

Original Bulletin: 
   http://www.debian.org/security/2019/dsa-4578

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4578-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
November 28, 2019                     https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : libvpx
CVE ID         : CVE-2019-9232 CVE-2019-9325 CVE-2019-9433 CVE-2019-9371

Multiple security issues were found in libvpx multimedia library which
could result in denial of service and potentially the execution of
arbitrary code if malformed WebM files are processed.
      
For the oldstable distribution (stretch), these problems have been fixed
in version 1.6.1-3+deb9u2.

For the stable distribution (buster), these problems have been fixed in
version 1.7.0-3+deb10u1.

We recommend that you upgrade your libvpx packages.

For the detailed security status of libvpx please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libvpx

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl3gI+0ACgkQEMKTtsN8
TjbH9A//S6lvahOTfqwVHzQCkFEgEOgmpwZA9NGnUQJ5omuv2BiSMqGnumje+QaH
nYLxz2SDiIhO2BgJbDPiKc2HvsCjybzzMLGhTRmYU3H5O/+4NTTcoYXKdrh/R68f
27gN746Xyi6Dcic4oM7Niz1LxkA5QiZNARx1LNWua99It7RCppYqsqb4nqru485q
SnlLt9J+BLlndpHFpBK1O8X/+TLfSnGqq9i/o21VaHGo4eDYAXkSlRE55IhjPnSg
Cx7sd/VNxzDvbq9ycsuNKpm7bDD6zifXwAX4aR+NDTG8nRgQmz5ufrLR3u1s6N/o
vV9qXXgzLjCQboYCmKFnbNYkWyWRfvhQTSvN9J8/rTCSAoABrUpUw9Pkc2VPcjSM
iLdfPSzu1GY/N2KuX7/vqqxlbkGsrd6Ms0VKfIX0WOGIHtuVyhfErgloxRFofNsp
inLeosoNHDYc/fb0pqTrJEsiI1AjHRUAr2X8axxV0YOm81t50cH1cK3T84hW4iwZ
wCV9SWSpCEP+llunt3OGLHI5/cjlI0TIXN0/HAVvakH07ICSBhYjvXlO62tQO+3T
1CWafBEj9Agq04YmRhjY/hW5axXYjCTeQeYFxLKBmp6KD4paMYttCwIq52M9SP7q
QQrYhffWcPYf01IB2EMikznAnvXW5tIf4msVX2ArrT8d8M1WaBI=
=pCY3
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXeBpZmaOgq3Tt24GAQiBmQ/8CFSmld/0Pgdi0co4YyWTWj6hgROK4z5X
cWGRwAxG1xapKVvnsArN/fJjoUK9WIjpAKaxX8bWJrZuy0lEHNMu4bNxJiEUcwTK
b6+1RQwM3mrYxwdEvemGmQ2E3++AOJoSawbGmZAXKRhQ7O7HWmbmxUozjk7IbhqE
ph9YAyL2ZUoLsuFTYUiVzTJQ8rZqN/w6bFxuqJHVYR+VOzaR82lQo6AJzekfvh6D
VHUCIrI+22ovAeUwNgGRpn0j5loTKuQUGV4QEn1c7j7F78cHYkMhfZRchzZ1O2HL
2ro8rjLxoozA4UUTDKCihsUZ+E+fO1E8PEDZu/6aMEMsNaCD0YTx9bAaJlpgX/QQ
wVeYB1S8nYm1snYSk779iJ/vdkM0UkzW/T3W5MdhdhWWWK7BtZBZ+k4Y+xCeAxPW
5RbJ1ZKgOaxjMoeiT8++rn53ALj4FOdrAEnZniSLLnFhdLadrdpR/63BqtPXoJCC
pixE/c3ewbs//+Fm0nF5Btws/o0loma2V/LUppEsnDJdfGCWxOx3CcFGEd+Dh5Z6
+XW75DYp56hk4c0tzGIGUAE+tR+BPM2GtcxKjMFpOpCF9lPhfnDuiZ+62sfqp5Qj
z9bkusutQM1kDj5+pK4tuSsTqBdKeLO94N76fU7rZTdiCIaDY5Qd/AZVZIcDFu3A
/aswVzHcSOE=
=WvJ/
-----END PGP SIGNATURE-----