Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.3386
libpng security update
30 September 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: libpng
Publisher: Red Hat
Operating System: Red Hat Enterprise Linux Server 7
Red Hat Enterprise Linux WS/Desktop 7
Impact/Access: Reduced Security -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2017-12652
Reference: ESB-2020.1205
ESB-2020.0775
ESB-2019.4466
Original Bulletin:
https://access.redhat.com/errata/RHSA-2020:3901
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Low: libpng security update
Advisory ID: RHSA-2020:3901-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:3901
Issue date: 2020-09-29
CVE Names: CVE-2017-12652
=====================================================================
1. Summary:
An update for libpng is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
3. Description:
The libpng packages contain a library of functions for creating and
manipulating Portable Network Graphics (PNG) image format files.
Security Fix(es):
* libpng: does not check length of chunks against user limit
(CVE-2017-12652)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 7.9 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
All running applications using libpng or must be restarted for the update
to take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1733956 - CVE-2017-12652 libpng: does not check length of chunks against user limit
6. Package List:
Red Hat Enterprise Linux Client (v. 7):
Source:
libpng-1.5.13-8.el7.src.rpm
x86_64:
libpng-1.5.13-8.el7.i686.rpm
libpng-1.5.13-8.el7.x86_64.rpm
libpng-debuginfo-1.5.13-8.el7.i686.rpm
libpng-debuginfo-1.5.13-8.el7.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
x86_64:
libpng-debuginfo-1.5.13-8.el7.i686.rpm
libpng-debuginfo-1.5.13-8.el7.x86_64.rpm
libpng-devel-1.5.13-8.el7.i686.rpm
libpng-devel-1.5.13-8.el7.x86_64.rpm
libpng-static-1.5.13-8.el7.i686.rpm
libpng-static-1.5.13-8.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
libpng-1.5.13-8.el7.src.rpm
x86_64:
libpng-1.5.13-8.el7.i686.rpm
libpng-1.5.13-8.el7.x86_64.rpm
libpng-debuginfo-1.5.13-8.el7.i686.rpm
libpng-debuginfo-1.5.13-8.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
x86_64:
libpng-debuginfo-1.5.13-8.el7.i686.rpm
libpng-debuginfo-1.5.13-8.el7.x86_64.rpm
libpng-devel-1.5.13-8.el7.i686.rpm
libpng-devel-1.5.13-8.el7.x86_64.rpm
libpng-static-1.5.13-8.el7.i686.rpm
libpng-static-1.5.13-8.el7.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
libpng-1.5.13-8.el7.src.rpm
ppc64:
libpng-1.5.13-8.el7.ppc.rpm
libpng-1.5.13-8.el7.ppc64.rpm
libpng-debuginfo-1.5.13-8.el7.ppc.rpm
libpng-debuginfo-1.5.13-8.el7.ppc64.rpm
libpng-devel-1.5.13-8.el7.ppc.rpm
libpng-devel-1.5.13-8.el7.ppc64.rpm
ppc64le:
libpng-1.5.13-8.el7.ppc64le.rpm
libpng-debuginfo-1.5.13-8.el7.ppc64le.rpm
libpng-devel-1.5.13-8.el7.ppc64le.rpm
s390x:
libpng-1.5.13-8.el7.s390.rpm
libpng-1.5.13-8.el7.s390x.rpm
libpng-debuginfo-1.5.13-8.el7.s390.rpm
libpng-debuginfo-1.5.13-8.el7.s390x.rpm
libpng-devel-1.5.13-8.el7.s390.rpm
libpng-devel-1.5.13-8.el7.s390x.rpm
x86_64:
libpng-1.5.13-8.el7.i686.rpm
libpng-1.5.13-8.el7.x86_64.rpm
libpng-debuginfo-1.5.13-8.el7.i686.rpm
libpng-debuginfo-1.5.13-8.el7.x86_64.rpm
libpng-devel-1.5.13-8.el7.i686.rpm
libpng-devel-1.5.13-8.el7.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
ppc64:
libpng-debuginfo-1.5.13-8.el7.ppc.rpm
libpng-debuginfo-1.5.13-8.el7.ppc64.rpm
libpng-static-1.5.13-8.el7.ppc.rpm
libpng-static-1.5.13-8.el7.ppc64.rpm
ppc64le:
libpng-debuginfo-1.5.13-8.el7.ppc64le.rpm
libpng-static-1.5.13-8.el7.ppc64le.rpm
s390x:
libpng-debuginfo-1.5.13-8.el7.s390.rpm
libpng-debuginfo-1.5.13-8.el7.s390x.rpm
libpng-static-1.5.13-8.el7.s390.rpm
libpng-static-1.5.13-8.el7.s390x.rpm
x86_64:
libpng-debuginfo-1.5.13-8.el7.i686.rpm
libpng-debuginfo-1.5.13-8.el7.x86_64.rpm
libpng-static-1.5.13-8.el7.i686.rpm
libpng-static-1.5.13-8.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
libpng-1.5.13-8.el7.src.rpm
x86_64:
libpng-1.5.13-8.el7.i686.rpm
libpng-1.5.13-8.el7.x86_64.rpm
libpng-debuginfo-1.5.13-8.el7.i686.rpm
libpng-debuginfo-1.5.13-8.el7.x86_64.rpm
libpng-devel-1.5.13-8.el7.i686.rpm
libpng-devel-1.5.13-8.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
x86_64:
libpng-debuginfo-1.5.13-8.el7.i686.rpm
libpng-debuginfo-1.5.13-8.el7.x86_64.rpm
libpng-static-1.5.13-8.el7.i686.rpm
libpng-static-1.5.13-8.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2017-12652
https://access.redhat.com/security/updates/classification/#low
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.9_release_notes/index
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBX3Ohv9zjgjWX9erEAQhW+w/+IOwXC9elwpcQ8HRw2Hhg0ZYv0Yd3YDbZ
hC9XrlxraEOb+z269LxfpqKXDB3/Nkg3Y/SDDCDooYjtn1bMf/t/mKvYtY9ZPZSc
pahGNSXzED8sOjc1IlwxXDIPzrN8h649fMJdEacPVcE732HDo5VFsEgvK8fEOzVp
LBQ2x0R8YtabLPdKJSavOmli0O6CJf9pB8f8G/S2wRZh4DI6awrzou8k+sOwhPzA
9hmp6Uw7wYH0NQo61HPSn/dRZPGNYNeFpRXBw5UnwRaNhqYbLpVVMNQ9DzNCIpNz
7m7A0mo2ukFgfpKov1yp9IhitC8CiKQn/5Fe5yEi/boRiZzwy5DMqMpFoSKO5DTF
maza6gAEgAFH80gF1rlKnEQUc14345X4/eWDCTr6yMeBsvTLyuWVvZy6JyUyh1YQ
30+3/ZbS5tplnwwJBvX5cyuO3TS/8kM3mFu75aJfySr2i/P2w03pB2T6jPlRoFc1
OjuCSHLZ0D+pwoN4e0PhEBQNrKFWyOgp1oUrLw+tVU5WscijEHWDUzGJ/AwYARBB
zqH5xzk7uYD1ncHd+urduIwEKUi7tbCi81NEzP21kN7qls8VSmBgZhEraTBFRXqi
0vcM3GRzuyKRYb86wGqQa3cENxVsadqKJYodzYX5XyfpX0geDfM69sWpnRTuH6A+
Vx+agpfS8wU=
=1iW/
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX3P+7uNLKJtyKPYoAQjprQ//VfV75iinlwf5Z9C0HugOVKUvPpNz/pVH
3VqhrcwGFAKznNuK0ImD1nTpERUCyFph6UYH2GPZ6u6/oPg/NuGVTdVhip4Y8WSw
7eG+G0K/0BkM7HXS+M4JpUbhfc6yLUzZh46uadJ6G/JeL+1xLNoHEanBLlBl70to
Y4d++Ho2AX/KrW08HSk+AZ2PFRLsc3q2e4Fd2g8LaB8fqVL//X8/hY2t4l9t3Fcs
0C87yKla9lpr5Mqz+xTl/cX9TSYEkIhg9SPNNZ0d1wozfRBKIdXq3DLT+3NRLREJ
Az5B5qDwnSYsnuM6PVNhkqwAqS7nvhzg5PypoE9YLHr8uaWZgZ/pb2sWWYXWVpXo
Qs8NoYBkqJpyoBRwWKfMmTnwQJIaPn0InXXEKYouxbdWyrBmEmHvEJgBmTNy5HiD
rnk3l1SZLgfvV+6PUtpfR/6m1SDKbZQpV0hGkCHmguTiGggbKlP/ahLKh73x/Cpv
J2ErkCYisSENDPeK5/TqLqsChuxE/UKVPRxySzB8+xkB62QxyRoaTVbxaHu/5PYr
CUIm5mNHLG8omOkd65+9870A7yu0Ajd4E5tK2USmuM2p2vV220bav4ajDGvyOQAU
FiILhRHbzZJN4r+e+6MF4KHtyfqOMzYJP0dT1MzWoXSzIqkN4a2SC1846zWKuE7T
OWBifwTPI7s=
=vtZJ
-----END PGP SIGNATURE-----