Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.3382 libvpx security update 30 September 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libvpx Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 7 Red Hat Enterprise Linux WS/Desktop 7 Impact/Access: Denial of Service -- Existing Account Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-0034 CVE-2019-9433 CVE-2019-9232 CVE-2017-0393 Reference: ESB-2020.0846 ESB-2019.4517 ESB-2019.4494 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:3876 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: libvpx security update Advisory ID: RHSA-2020:3876-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:3876 Issue date: 2020-09-29 CVE Names: CVE-2017-0393 CVE-2019-9232 CVE-2019-9433 CVE-2020-0034 ===================================================================== 1. Summary: An update for libvpx is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: The libvpx packages provide the VP8 SDK, which allows the encoding and decoding of the VP8 video codec, commonly used with the WebM multimedia container file format. Security Fix(es): * libvpx: Denial of service in mediaserver (CVE-2017-0393) * libvpx: Out of bounds read in vp8_norm table (CVE-2019-9232) * libvpx: Use-after-free in vp8_deblock() in vp8/common/postproc.c (CVE-2019-9433) * libvpx: Out of bounds read in vp8_decode_frame in decodeframe.c (CVE-2020-0034) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the update, all applications using libvpx must be restarted for the changes to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1769657 - CVE-2017-0393 libvpx: Denial of service in mediaserver 1788966 - CVE-2019-9232 libvpx: Out of bounds read in vp8_norm table 1788994 - CVE-2019-9433 libvpx: Use-after-free in vp8_deblock() in vp8/common/postproc.c 1813000 - CVE-2020-0034 libvpx: Out of bounds read in vp8_decode_frame in decodeframe.c 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: libvpx-1.3.0-8.el7.src.rpm x86_64: libvpx-1.3.0-8.el7.i686.rpm libvpx-1.3.0-8.el7.x86_64.rpm libvpx-debuginfo-1.3.0-8.el7.i686.rpm libvpx-debuginfo-1.3.0-8.el7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: libvpx-debuginfo-1.3.0-8.el7.i686.rpm libvpx-debuginfo-1.3.0-8.el7.x86_64.rpm libvpx-devel-1.3.0-8.el7.i686.rpm libvpx-devel-1.3.0-8.el7.x86_64.rpm libvpx-utils-1.3.0-8.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): Source: libvpx-1.3.0-8.el7.src.rpm x86_64: libvpx-1.3.0-8.el7.i686.rpm libvpx-1.3.0-8.el7.x86_64.rpm libvpx-debuginfo-1.3.0-8.el7.i686.rpm libvpx-debuginfo-1.3.0-8.el7.x86_64.rpm libvpx-devel-1.3.0-8.el7.i686.rpm libvpx-devel-1.3.0-8.el7.x86_64.rpm libvpx-utils-1.3.0-8.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: libvpx-1.3.0-8.el7.src.rpm ppc64: libvpx-1.3.0-8.el7.ppc.rpm libvpx-1.3.0-8.el7.ppc64.rpm libvpx-debuginfo-1.3.0-8.el7.ppc.rpm libvpx-debuginfo-1.3.0-8.el7.ppc64.rpm ppc64le: libvpx-1.3.0-8.el7.ppc64le.rpm libvpx-debuginfo-1.3.0-8.el7.ppc64le.rpm s390x: libvpx-1.3.0-8.el7.s390.rpm libvpx-1.3.0-8.el7.s390x.rpm libvpx-debuginfo-1.3.0-8.el7.s390.rpm libvpx-debuginfo-1.3.0-8.el7.s390x.rpm x86_64: libvpx-1.3.0-8.el7.i686.rpm libvpx-1.3.0-8.el7.x86_64.rpm libvpx-debuginfo-1.3.0-8.el7.i686.rpm libvpx-debuginfo-1.3.0-8.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): ppc64: libvpx-debuginfo-1.3.0-8.el7.ppc.rpm libvpx-debuginfo-1.3.0-8.el7.ppc64.rpm libvpx-devel-1.3.0-8.el7.ppc.rpm libvpx-devel-1.3.0-8.el7.ppc64.rpm libvpx-utils-1.3.0-8.el7.ppc64.rpm ppc64le: libvpx-debuginfo-1.3.0-8.el7.ppc64le.rpm libvpx-devel-1.3.0-8.el7.ppc64le.rpm libvpx-utils-1.3.0-8.el7.ppc64le.rpm s390x: libvpx-debuginfo-1.3.0-8.el7.s390.rpm libvpx-debuginfo-1.3.0-8.el7.s390x.rpm libvpx-devel-1.3.0-8.el7.s390.rpm libvpx-devel-1.3.0-8.el7.s390x.rpm libvpx-utils-1.3.0-8.el7.s390x.rpm x86_64: libvpx-debuginfo-1.3.0-8.el7.i686.rpm libvpx-debuginfo-1.3.0-8.el7.x86_64.rpm libvpx-devel-1.3.0-8.el7.i686.rpm libvpx-devel-1.3.0-8.el7.x86_64.rpm libvpx-utils-1.3.0-8.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: libvpx-1.3.0-8.el7.src.rpm x86_64: libvpx-1.3.0-8.el7.i686.rpm libvpx-1.3.0-8.el7.x86_64.rpm libvpx-debuginfo-1.3.0-8.el7.i686.rpm libvpx-debuginfo-1.3.0-8.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: libvpx-debuginfo-1.3.0-8.el7.i686.rpm libvpx-debuginfo-1.3.0-8.el7.x86_64.rpm libvpx-devel-1.3.0-8.el7.i686.rpm libvpx-devel-1.3.0-8.el7.x86_64.rpm libvpx-utils-1.3.0-8.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2017-0393 https://access.redhat.com/security/cve/CVE-2019-9232 https://access.redhat.com/security/cve/CVE-2019-9433 https://access.redhat.com/security/cve/CVE-2020-0034 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.9_release_notes/index 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX3OfLdzjgjWX9erEAQitbA/9EWvcEPp8tmGdH+29VlbtVJqCTGrH8MFI tR5gHb83fUgAJ3h61a0dJcNObPQzcnbVus8wicThJHT01ODf+P7TajOV16cGUN58 GQtLLrrR/o15p6Yl1JUWx85VUVmDVkrMFnUsjhdQA2/uwSu4doUI0HX2d7YhImVe vhgcZuSko6EZfg65Kez/KR1E/mhxq2VgJMRdHtpqJIbyYAGsxVRWZZDJ0YUGIuLe hbMbQjrjq5eT+LhGqiN+BhwRa791AiI6ee6qSNcvVPXFzsHlX1ui0iIqkHiSGlhG oksFR3mCM/qzIPqHy95eJNfC79Xo8cN1hcV1lADxgqIJiCrnSY6Wdj9CTVOATeM7 KRExeAuuVKalPLKsL6mCPaiOnreKf7kNdjDeXiXSqgSxnu060H+E/7ZnaqgZD/X4 aT383fYTcpxH2RrqOH4RX2D+9r1dawaYG/9XHLA7A9sXZ/Fgbn2rbUibqkHBWTlR BMb3m/0KuHzfYm5pKSUx9ztJo0Zgn4kWy9M36/T8urlAxSxkcCQHWXtDfaVcrbyt 0TLmANjGBDJ605TAhrRteoSvoHaFVLJCbZ7rLNW93e3hBDN2Rginadpx4++z5N9L ndpdepLUI2xQdglVX5rKZWYx9Erc9fPWwLW1iXA6kbg15h9lKcZy/DIvdz3/J+/U oaOsMnNvbKA= =eByk - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX3P8veNLKJtyKPYoAQgtwhAAhzk0VbKnpjKQUBokCcZ1Hi0SQklrTCwc vo5NhNmpxRutC2plYhRZrt1R5DWIwUW7LXm5AApb9g8j828Bt3VYAlQ5dO1YHJrB BfgIi4+Whn2kcILM3Q0Eqe5WDuzT7aQeM3MOP+9y+ba/DqQzH3vy4G5UrjNK9Ksf hDbjB93K7R1mM8jbV9Aoxm0fpfsZNnapNpEcOnwLJ8OGH/734YtxOlMN+Rd5AcdO yFup0muBZDB+4fI3nYv8A7QPh18HcJMh8RQYzW+U7MpdntKS03tDt/o1SdBL/r+T 80M6mDmwXRRkrOvNiVBlKQS7+B2iTxFeMoHX3Tpu9LUlYyVagH0awOmNvlbZqxfT nJp1MRtmbrspFiSsvEB4NwIlBACuytwBLfwMVFxlVaS0jA+dhWxsPd/7Fg9803q/ NkEL8FBFPDAxJTYiYd29BvE1C4y8DVDMKRRcDuZloRjc4QNhjkqDCgA/TM8A8Y7l fA0o5KnwExZMu/Yvw1n+UcU+zVTc7O5ZQ0QHOv0IHNbG9VASZy/Qbzw5+XFW/UY0 Yke2fdi0fP35q5c9+9niLEGG/zlTKOwaneDJL4VbANTIljHw7QQO5IOcZOc+ucSi p4eucUBb+FJncoNXZs+RFwehK5SlI2+XsP+YLGZckOqIiV/5PoHUqIWWQm48lbkS 2Z/c713fHa4= =TXvB -----END PGP SIGNATURE-----