Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.3070 libcroco security update 9 September 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libcroco Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 8 Red Hat Enterprise Linux WS/Desktop 8 UNIX variants (UNIX, Linux, OSX) Impact/Access: Access Confidential Data -- Remote with User Interaction Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2020-12825 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:3654 Comment: This advisory references vulnerabilities in products which run on platforms other than Red Hat. It is recommended that administrators running libcroco check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: libcroco security update Advisory ID: RHSA-2020:3654-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:3654 Issue date: 2020-09-08 CVE Names: CVE-2020-12825 ===================================================================== 1. Summary: An update for libcroco is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat CodeReady Linux Builder (v. 8) - aarch64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, ppc64le, s390x, x86_64 3. Description: The libcroco is a standalone Cascading Style Sheet level 2 (CSS2) parsing and manipulation library. Security Fix(es): * libcroco: Stack overflow in function cr_parser_parse_any_core in cr-parser.c (CVE-2020-12825) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1835377 - CVE-2020-12825 libcroco: Stack overflow in function cr_parser_parse_any_core in cr-parser.c 6. Package List: Red Hat Enterprise Linux BaseOS (v. 8): Source: libcroco-0.6.12-4.el8_2.1.src.rpm aarch64: libcroco-0.6.12-4.el8_2.1.aarch64.rpm libcroco-debuginfo-0.6.12-4.el8_2.1.aarch64.rpm libcroco-debugsource-0.6.12-4.el8_2.1.aarch64.rpm ppc64le: libcroco-0.6.12-4.el8_2.1.ppc64le.rpm libcroco-debuginfo-0.6.12-4.el8_2.1.ppc64le.rpm libcroco-debugsource-0.6.12-4.el8_2.1.ppc64le.rpm s390x: libcroco-0.6.12-4.el8_2.1.s390x.rpm libcroco-debuginfo-0.6.12-4.el8_2.1.s390x.rpm libcroco-debugsource-0.6.12-4.el8_2.1.s390x.rpm x86_64: libcroco-0.6.12-4.el8_2.1.i686.rpm libcroco-0.6.12-4.el8_2.1.x86_64.rpm libcroco-debuginfo-0.6.12-4.el8_2.1.i686.rpm libcroco-debuginfo-0.6.12-4.el8_2.1.x86_64.rpm libcroco-debugsource-0.6.12-4.el8_2.1.i686.rpm libcroco-debugsource-0.6.12-4.el8_2.1.x86_64.rpm Red Hat CodeReady Linux Builder (v. 8): aarch64: libcroco-debuginfo-0.6.12-4.el8_2.1.aarch64.rpm libcroco-debugsource-0.6.12-4.el8_2.1.aarch64.rpm libcroco-devel-0.6.12-4.el8_2.1.aarch64.rpm ppc64le: libcroco-debuginfo-0.6.12-4.el8_2.1.ppc64le.rpm libcroco-debugsource-0.6.12-4.el8_2.1.ppc64le.rpm libcroco-devel-0.6.12-4.el8_2.1.ppc64le.rpm s390x: libcroco-debuginfo-0.6.12-4.el8_2.1.s390x.rpm libcroco-debugsource-0.6.12-4.el8_2.1.s390x.rpm libcroco-devel-0.6.12-4.el8_2.1.s390x.rpm x86_64: libcroco-debuginfo-0.6.12-4.el8_2.1.i686.rpm libcroco-debuginfo-0.6.12-4.el8_2.1.x86_64.rpm libcroco-debugsource-0.6.12-4.el8_2.1.i686.rpm libcroco-debugsource-0.6.12-4.el8_2.1.x86_64.rpm libcroco-devel-0.6.12-4.el8_2.1.i686.rpm libcroco-devel-0.6.12-4.el8_2.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-12825 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX1dUKtzjgjWX9erEAQh2KQ/9Etk1HNEDTv8fw06DVKfenuPKAPnTEpV6 +55ni+PN6WC9EzfcGuH4sik6MaTmN+8FZmmtM2R/8CQeiQYfHn6cfDuQmQpdAI+g 2KAqB9ks225Y1HI5fx/P7P0JK4ue8UG/8Wuivz0virFrutMd4Mw55OlRxE42EZq2 3c+bIs/OPVyr1mk57mhrHQWx988UXxyLaLhHVw9MrQRFyivsEGST2QGynjHM80EX B6uhpiJio82BevDEPbygNyFwbCXD1rRbg/Na+W4kWV8sAWI5YBA5qfBaxb7A6jGX 8jjubWqiZaRxbOnoY6VwC1+zFBj9F53T5fdvTv1oU8EjMCBkXfYB5uDScZ7vBq5u plV7XOiyjEVqcId7qrb6dFsuDo9nViXJ0grN5n3RcFXal1Y64hBbVvA8cRfECwdo 2UD9MvrCbOEEGX0nrhx6xG8O8wbSGkKT+JZZHAYDuKM1OTi42LxBj5vw/iNvaWEh 5C6XMqI3d8Kaujv1M6+UUnJaYvdV6fKgFkTU1IwiKaCS2DZu8BKOYjL+W/kTx1SZ uhnNS/L1C6B4nb86cjK9lyzGEKL4Vn0mofiUgzqouChdkaWYqxz4ySYY7K95uqq7 FNvjd8j6YYW3b8/u47bZigOS+x0ZJb1NG6618bgBIGUqjeE6DzyrBIk/iQzQ9pZS ROyv0V5Gdho= =Y9FJ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX1goLuNLKJtyKPYoAQiiRA/+MJILJHrrpcGGMT3FhuUiNMidl8KmIeY5 aMO6Yq6bY4K353nbmTDlg6hqhP5DLK3Of7s9djlzM7SeG322t9s42w+LApW/i9HO U3j7Hq2Y8echyhnNvLRZKszXk2cooMyB23mRWtrgGY9uashhkq6INkC0+s+fFrLi +3E6LoqpIWU6pQEWSuB5VrTL0MEe9ymErTUeAsxlYCE3rlTaz7Ywu9CS4GzHd3bH JZ3Tz4dDzSw4KKF1PmhZcGyVf25DtpShn175dh9Bj71+crIGXvhGyYZqOFZNeNvr jeRPUoylwhxW5NnfgiJVn7+F7PEGdNzpLHQ4x7yJo+H1p+fFScu9CtxjF5UyfzKs gR2Tzc16pBpKbNdtQfi5KNqn3pTk2D3IM+DQKITLsUmdOqxhyaWAwNOMGzchjlfP zS282x41Oq1Llr0bMQYpOltOyZhouwFV4KqKuIel+0HwfXnocFzk1s0B5QSIKv3D SHqTAbfEgjlFOZsPXe3hrso6+OBwiS8hUbFfs9uiv0PHAsTIKQ88X0go9kFyH516 eu1H0AILZg1GKNLf8LvF+XtbtEOxVYIPhxcwg381r/0Dz7gjs1OYXh8rRF4fgsi9 bkV6IAKWnJKJqC1c+wV1Kd/7tUwuATL950U8lvkkxpcR4QhJDMiYqqgorh43t3FG ANqq9yrRHUc= =WZf1 -----END PGP SIGNATURE-----