-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3503
                           spice security update
                              12 October 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           spice
Publisher:         Debian
Operating System:  Debian GNU/Linux 10
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
                   Denial of Service               -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-14355  

Reference:         ESB-2020.3456.2
                   ESB-2020.3455

Original Bulletin: 
   http://www.debian.org/security/2020/dsa-4771

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4771-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
October 11, 2020                      https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : spice
CVE ID         : CVE-2020-14355
Debian Bug     : 971750

Frediano Ziglio discovered multiple buffer overflow vulnerabilities in
the QUIC image decoding process of spice, a SPICE protocol client and
server library, which could result in denial of service, or possibly,
execution of arbitrary code.

For the stable distribution (buster), this problem has been fixed in
version 0.14.0-1.3+deb10u1.

We recommend that you upgrade your spice packages.

For the detailed security status of spice please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/spice

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl+DCq9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0QUNw/8DZv5zKZL4uCtYNOff8sVC7/MN5yQeWsnQ/cfC0/d+5L8d+B5aTu05gbJ
2F3VtbctkD/9VR2ugJkvsxq8hsgGRNPSy7izCmchCzAxWf7jpiFBt8b41bVK2mkq
pPcg8GvC2S2Lg05ULu4inrq1LvnvVSe6VcGOY68FdY8UoIaXqzYgqKBC6FyDfOgd
6mYBEwQ+nzXkX9AJsZgPrL480zMrU6pdfyTf+1Sx/FhJai0tal6azvZovcytCsej
gPNnEeWxIv1UhccJT/y48ILCbuFoA1aBHH3PhAOLr5HO1Q/HuSNbJ/ByLU7RtRMG
dKbyzeX43qE2kdFs8ZzkyiUxmM9PjUKzDeAbc4sdaJWAztM6kDl5orOAEDOe30v+
K4AwqY/Ru+EOzmimx7nS2A/2jHY0/Tx8CKJSQW8FvvXWC5TH6QTbSQIZ+gX3zyTs
nRKvKBzInWOP3zzKtFZhpdYaYJhzL/J3mRWNnmfZ7HAyyqJOBRWArfsIuS8aQz4K
0oX6fZdAYIocdGxQbEoE46KbMwjZ2jMitvRQAxpa7NlU2tS/cbbkSYfnc38nblst
vQZcg9/p0v6inXTZu9ABAVb8uFoe5YLkSabOG82xafTqJ7U6Kn9BaXmvS6C4cxxO
di/eXfkGmOpn7QkxPeASWQOegYPz0w9e6ElzwWrrelJbw02Losw=
=Rzxi
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX4O5TONLKJtyKPYoAQjPSA/7BLZnh5JflgQKiN9efU3y6iI+ZYB3ZTCB
H/MJXTkBe2xrOnArS9puiIHfr2nVG46PksJMCucWLXF8TEZA4bEs3JxpOYPX723j
kJEdZ2qBHgqnDgB8PxOuEdFmi0pwrVj+Ad4QR3OCwtcGIPL2Nbc8d6lf5ZlPtWgd
2KG8jb6FC+YoquAmTY2arRsDAKYsGEiIE52r1j5vEkXojG5skv2MuIu/4Y3XNjHX
jB26yFVpD2ZU//34Up+RjGKu1bQke/IIUyx/+q5iwcFV5+PnntoeF2mt6Y/3NkGh
8UwU3sV5ynwjnSX6HVY18CeC6PycqWHM5zrEckqHS3osdtOCk/zY/qosbv066odq
2ATFLtDhRU64Su174OyI2FYTEMl6Gzh6DjZqDzueAlOFwT0J+saRjhzdnFhi7KRb
dwKxW225oCR01/X7QkgKHE7of4W8Nk3GV4+LZDzklaBGqRcXsMvD8E7vOVbQo/H2
kRRYgmKQXkTNzxgo4j4QnDDmB7EVc/Lldpyw++VLdJSpw06GyWns2lReR0QYqmIW
ExtfE3gDNHXlDLizT58PE05fli1yZ24v05wZZnD1gIMoySkQTKDfm07FowCKM7Eh
hc9a6SlgfGrjZSk69pZOG/3O9JdZWtzO7Oq7gj69dO0ORfeMU9ok7KhrZ601PmZO
JR0jGrTbjVE=
=cUaD
-----END PGP SIGNATURE-----