Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.3401 OpenEXR security update 30 September 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: OpenEXR Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 7 Red Hat Enterprise Linux WS/Desktop 7 Impact/Access: Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-11764 CVE-2020-11763 CVE-2020-11761 Reference: ESB-2020.2985 ESB-2020.1816 ESB-2020.1448 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:4039 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenEXR security update Advisory ID: RHSA-2020:4039-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:4039 Issue date: 2020-09-29 CVE Names: CVE-2020-11761 CVE-2020-11763 CVE-2020-11764 ===================================================================== 1. Summary: An update for OpenEXR is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: OpenEXR is a high dynamic-range (HDR) image file format developed by Industrial Light & Magic for use in computer imaging applications. This package contains libraries and sample applications for handling the format. Security Fix(es): * OpenEXR: out-of-bounds read during Huffman uncompression (CVE-2020-11761) * OpenEXR: std::vector out-of-bounds read and write in ImfTileOffsets.cpp (CVE-2020-11763) * OpenEXR: out-of-bounds write in copyIntoFrameBuffer function in ImfMisc.cpp (CVE-2020-11764) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1828990 - CVE-2020-11764 OpenEXR: out-of-bounds write in copyIntoFrameBuffer function in ImfMisc.cpp 1828995 - CVE-2020-11763 OpenEXR: std::vector out-of-bounds read and write in ImfTileOffsets.cpp 1829002 - CVE-2020-11761 OpenEXR: out-of-bounds read during Huffman uncompression 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: OpenEXR-1.7.1-8.el7.src.rpm x86_64: OpenEXR-debuginfo-1.7.1-8.el7.i686.rpm OpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm OpenEXR-libs-1.7.1-8.el7.i686.rpm OpenEXR-libs-1.7.1-8.el7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: OpenEXR-1.7.1-8.el7.x86_64.rpm OpenEXR-debuginfo-1.7.1-8.el7.i686.rpm OpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm OpenEXR-devel-1.7.1-8.el7.i686.rpm OpenEXR-devel-1.7.1-8.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: OpenEXR-1.7.1-8.el7.src.rpm x86_64: OpenEXR-debuginfo-1.7.1-8.el7.i686.rpm OpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm OpenEXR-libs-1.7.1-8.el7.i686.rpm OpenEXR-libs-1.7.1-8.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: OpenEXR-1.7.1-8.el7.x86_64.rpm OpenEXR-debuginfo-1.7.1-8.el7.i686.rpm OpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm OpenEXR-devel-1.7.1-8.el7.i686.rpm OpenEXR-devel-1.7.1-8.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: OpenEXR-1.7.1-8.el7.src.rpm ppc64: OpenEXR-debuginfo-1.7.1-8.el7.ppc.rpm OpenEXR-debuginfo-1.7.1-8.el7.ppc64.rpm OpenEXR-libs-1.7.1-8.el7.ppc.rpm OpenEXR-libs-1.7.1-8.el7.ppc64.rpm ppc64le: OpenEXR-debuginfo-1.7.1-8.el7.ppc64le.rpm OpenEXR-libs-1.7.1-8.el7.ppc64le.rpm s390x: OpenEXR-debuginfo-1.7.1-8.el7.s390.rpm OpenEXR-debuginfo-1.7.1-8.el7.s390x.rpm OpenEXR-libs-1.7.1-8.el7.s390.rpm OpenEXR-libs-1.7.1-8.el7.s390x.rpm x86_64: OpenEXR-debuginfo-1.7.1-8.el7.i686.rpm OpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm OpenEXR-libs-1.7.1-8.el7.i686.rpm OpenEXR-libs-1.7.1-8.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): ppc64: OpenEXR-1.7.1-8.el7.ppc64.rpm OpenEXR-debuginfo-1.7.1-8.el7.ppc.rpm OpenEXR-debuginfo-1.7.1-8.el7.ppc64.rpm OpenEXR-devel-1.7.1-8.el7.ppc.rpm OpenEXR-devel-1.7.1-8.el7.ppc64.rpm ppc64le: OpenEXR-1.7.1-8.el7.ppc64le.rpm OpenEXR-debuginfo-1.7.1-8.el7.ppc64le.rpm OpenEXR-devel-1.7.1-8.el7.ppc64le.rpm s390x: OpenEXR-1.7.1-8.el7.s390x.rpm OpenEXR-debuginfo-1.7.1-8.el7.s390.rpm OpenEXR-debuginfo-1.7.1-8.el7.s390x.rpm OpenEXR-devel-1.7.1-8.el7.s390.rpm OpenEXR-devel-1.7.1-8.el7.s390x.rpm x86_64: OpenEXR-1.7.1-8.el7.x86_64.rpm OpenEXR-debuginfo-1.7.1-8.el7.i686.rpm OpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm OpenEXR-devel-1.7.1-8.el7.i686.rpm OpenEXR-devel-1.7.1-8.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: OpenEXR-1.7.1-8.el7.src.rpm x86_64: OpenEXR-debuginfo-1.7.1-8.el7.i686.rpm OpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm OpenEXR-libs-1.7.1-8.el7.i686.rpm OpenEXR-libs-1.7.1-8.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: OpenEXR-1.7.1-8.el7.x86_64.rpm OpenEXR-debuginfo-1.7.1-8.el7.i686.rpm OpenEXR-debuginfo-1.7.1-8.el7.x86_64.rpm OpenEXR-devel-1.7.1-8.el7.i686.rpm OpenEXR-devel-1.7.1-8.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-11761 https://access.redhat.com/security/cve/CVE-2020-11763 https://access.redhat.com/security/cve/CVE-2020-11764 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.9_release_notes/index 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX3OhUtzjgjWX9erEAQhyFQ/+J5Ul3SoJTvzk/7rqW/WA4GkT5/I6owm1 BnhvO6tELbBul8250MCo/jaUukdjQ3bJ/ZdjmPFrPgNR7UrmIN0LQdAiDlMtnhIF 7Ppw7RDniUBtv3Q2471W4FQxpeXKf+n5sqkq+blxZbeYLXI7Nya/2qKirO0dJ4M1 bAl1exBJ4cSp+kuUOn8oBsGQi6L2oM6ldPf4KklMswOU69qDexywZNtvQVfANmur mNIx/9bmQG+WRlj941A1BFTsAdXsCyTc3qaBecC5iEFxKPkVlpfBhQJ+N6zxdKwj CtVftLiGpcuiWck6THkpPbQg9HWqtJI3tQyW5NUZFHhUnwvOw3SGKgN3ufsnS/tF 9MsnwovV+6kuR/k1UWiDXuSZrdjEIOSz0We8oT5VhOKNkXcE0OY4yxLKpVTlP1HN aM2OGkf3DiUdKEysSQ7yPa2tfimLYQS/XJo6w4FZPKapmOvF926/R7NgIIucvG4J U51DVzqGpkt40pK790wQLrwUZ/E+HYyeZpPJC8QrmJmPNXsXFEm4iYxjCIyaecKf hOlBFwy7mU6fuOLynrrfxeStoS0+zJFfYqdiKOfTpRoLozBqaA8Vt8VasOfOwGeY Ar+nuTxwoQn3KCSGvHk533UkNyqKqpNDIfyqk3M8y8S5HjXvoMx9zxaN0ujT4/pB vySbS8H4PEI= =P3yT - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX3QbTONLKJtyKPYoAQiedhAAodGV+7YaoiLW9WB1K21HVONdd8ON47sT 0N0hwCgwYYXpaIEk0aQvG98VDG/kc6YXHFD7k2yC5aWYENaKiygGFkXOOWG8JQSL MHtyeu0+MPwKeEZHPTlxzC4w6ZZ3+3KU+2Hc50u3BNSW5u+w1MhGFfuQ7HxqdEds QD+ExvJ3izONudZuXszchMFRfCxUrpJgXKJ1YjufAel2WOOeceDEzVbDO9tMGPEm Wih2EeDiOj3crGeTYcswSdGKitKfVRtb/uFpBBCIYNbDCSfm7shHQuGgzsfRiM9B B7RoJX+7sP68v7oX5NDADMmQQ3DlJbthMq7mb2elQG0JEKW0dtXTOxhSSPZ0rZ7Z yu1fw0kzGSnnVBicLzmLr826ZrOJTucvHPtlFUGlZzUUp4QJ5c+Hl4sm9ArKbMwi o0Y9/JQadhAvDMPgrz6uB7W6G76ZVwjN2dlbzIyXFIqBDegDR5AjTv3J1ZLJCrV2 InbpRYDscczH09umylcn7dWJm/dbxuOUgnUjKYw30u2VBJU1jKoyEIZD7bqVrern SVrWxCLSafwYDGVqT6dX62o2HInzOeL8pXDkh0xMvPLUIqTPl/YzyAVal6HKu1JS hJyR9aJoJ8YMqYl72RrJ8JUbc9NPGjazlYjZnfAhNE4eKSUE3S570shmxvFiJPsI 6fM08eLeRbE= =iCc/ -----END PGP SIGNATURE-----