Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.3800.2 freetype security update 6 November 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: freetype Publisher: Red Hat Operating System: Red Hat Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-15999 Reference: ESB-2020.3676 ESB-2020.3668 ESB-2020.3639 ESB-2020.3616.2 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:4907 https://access.redhat.com/errata/RHSA-2020:4949 https://access.redhat.com/errata/RHSA-2020:4950 https://access.redhat.com/errata/RHSA-2020:4951 https://access.redhat.com/errata/RHSA-2020:4952 Comment: This bulletin contains five (5) Red Hat security advisories. Revision History: November 6 2020: Appended additional associated advisories November 5 2020: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: freetype security update Advisory ID: RHSA-2020:4907-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:4907 Issue date: 2020-11-04 CVE Names: CVE-2020-15999 ===================================================================== 1. Summary: An update for freetype is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: FreeType is a free, high-quality, portable font engine that can open and manage font files. FreeType loads, hints, and renders individual glyphs efficiently. Security Fix(es): * freetype: Heap-based buffer overflow due to integer truncation in Load_SBit_Png (CVE-2020-15999) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 The X server must be restarted (log out, then log back in) for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1890210 - CVE-2020-15999 freetype: Heap-based buffer overflow due to integer truncation in Load_SBit_Png 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: freetype-2.8-14.el7_9.1.src.rpm x86_64: freetype-2.8-14.el7_9.1.i686.rpm freetype-2.8-14.el7_9.1.x86_64.rpm freetype-debuginfo-2.8-14.el7_9.1.i686.rpm freetype-debuginfo-2.8-14.el7_9.1.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: freetype-debuginfo-2.8-14.el7_9.1.i686.rpm freetype-debuginfo-2.8-14.el7_9.1.x86_64.rpm freetype-demos-2.8-14.el7_9.1.x86_64.rpm freetype-devel-2.8-14.el7_9.1.i686.rpm freetype-devel-2.8-14.el7_9.1.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: freetype-2.8-14.el7_9.1.src.rpm x86_64: freetype-2.8-14.el7_9.1.i686.rpm freetype-2.8-14.el7_9.1.x86_64.rpm freetype-debuginfo-2.8-14.el7_9.1.i686.rpm freetype-debuginfo-2.8-14.el7_9.1.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: freetype-debuginfo-2.8-14.el7_9.1.i686.rpm freetype-debuginfo-2.8-14.el7_9.1.x86_64.rpm freetype-demos-2.8-14.el7_9.1.x86_64.rpm freetype-devel-2.8-14.el7_9.1.i686.rpm freetype-devel-2.8-14.el7_9.1.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: freetype-2.8-14.el7_9.1.src.rpm ppc64: freetype-2.8-14.el7_9.1.ppc.rpm freetype-2.8-14.el7_9.1.ppc64.rpm freetype-debuginfo-2.8-14.el7_9.1.ppc.rpm freetype-debuginfo-2.8-14.el7_9.1.ppc64.rpm freetype-devel-2.8-14.el7_9.1.ppc.rpm freetype-devel-2.8-14.el7_9.1.ppc64.rpm ppc64le: freetype-2.8-14.el7_9.1.ppc64le.rpm freetype-debuginfo-2.8-14.el7_9.1.ppc64le.rpm freetype-devel-2.8-14.el7_9.1.ppc64le.rpm s390x: freetype-2.8-14.el7_9.1.s390.rpm freetype-2.8-14.el7_9.1.s390x.rpm freetype-debuginfo-2.8-14.el7_9.1.s390.rpm freetype-debuginfo-2.8-14.el7_9.1.s390x.rpm freetype-devel-2.8-14.el7_9.1.s390.rpm freetype-devel-2.8-14.el7_9.1.s390x.rpm x86_64: freetype-2.8-14.el7_9.1.i686.rpm freetype-2.8-14.el7_9.1.x86_64.rpm freetype-debuginfo-2.8-14.el7_9.1.i686.rpm freetype-debuginfo-2.8-14.el7_9.1.x86_64.rpm freetype-devel-2.8-14.el7_9.1.i686.rpm freetype-devel-2.8-14.el7_9.1.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): ppc64: freetype-debuginfo-2.8-14.el7_9.1.ppc64.rpm freetype-demos-2.8-14.el7_9.1.ppc64.rpm ppc64le: freetype-debuginfo-2.8-14.el7_9.1.ppc64le.rpm freetype-demos-2.8-14.el7_9.1.ppc64le.rpm s390x: freetype-debuginfo-2.8-14.el7_9.1.s390x.rpm freetype-demos-2.8-14.el7_9.1.s390x.rpm x86_64: freetype-debuginfo-2.8-14.el7_9.1.x86_64.rpm freetype-demos-2.8-14.el7_9.1.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: freetype-2.8-14.el7_9.1.src.rpm x86_64: freetype-2.8-14.el7_9.1.i686.rpm freetype-2.8-14.el7_9.1.x86_64.rpm freetype-debuginfo-2.8-14.el7_9.1.i686.rpm freetype-debuginfo-2.8-14.el7_9.1.x86_64.rpm freetype-devel-2.8-14.el7_9.1.i686.rpm freetype-devel-2.8-14.el7_9.1.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: freetype-debuginfo-2.8-14.el7_9.1.x86_64.rpm freetype-demos-2.8-14.el7_9.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-15999 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX6K46dzjgjWX9erEAQjkHQ//ZP9t0lwD2Y7zNcVilvu+Xmdhz/DxYbmc 62AXmjKa8jj+tZ9Ze0Ndm75nOW6bmXplqp+NrM/r9Vn+m9m/vEOZyrVtY42VJO0t TjwJA9LrHVvb5GI3HkWzY3gjvYw4f9V7DlPRj25fZ+LfQdeufzI+1fx+KcsKsuwu RcAlMmuyNS5Jv88NmzOPHBX4bZqbS/nSUBWqxA59XGvlh6OSYX/+VOKU6ryAhqsl FESUIJMQ+JhQmvoe70eSxbCdbNgzsBQ7o9RGZSQDdiIBvrHU4SN71Mw569wobA6R mtuFGWMBcWjP0II1ZERf7DpT8ThK9trL/dZcJhjPrWqGBSfX5PBIJtwu7Neqe+/X FdxqzPnMj4cXR3mf8VRq7b2sBkJKtjocLT9ft1S2GvniTM8x9G7JraQuzLtrGaCR OVWIjaqphlNq7w61C8j0C0U6ZFPLvCIwidfLb6X1uQBYLFhX6yNKuLpCvzJf7GJU wiH3Aqk94uzbWtNHEfWwdXwqxm+bX47mm3ZPYfKyf/gydPMpfU8ZNb4DuCE2HdK5 VlravzP2KrfpVLLM/Ddjd2E+Oy9HAdOdhUg64u9NnapRWLkcAXSvveA+YbebwfBV 4VHS9yIxAZfkb9forSGcbpEXrIJWGVaSgzbnAsYTiLvIrF88wZng1AIiF3j3uMfj dTCmugPFQ8Y= =Kzoh - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------ - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: freetype security update Advisory ID: RHSA-2020:4949-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:4949 Issue date: 2020-11-05 CVE Names: CVE-2020-15999 ===================================================================== 1. Summary: An update for freetype is now available for Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux BaseOS E4S (v. 8.0) - aarch64, ppc64le, s390x, x86_64 3. Description: FreeType is a free, high-quality, portable font engine that can open and manage font files. FreeType loads, hints, and renders individual glyphs efficiently. Security Fix(es): * freetype: Heap-based buffer overflow due to integer truncation in Load_SBit_Png (CVE-2020-15999) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 The X server must be restarted (log out, then log back in) for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1890210 - CVE-2020-15999 freetype: Heap-based buffer overflow due to integer truncation in Load_SBit_Png 6. Package List: Red Hat Enterprise Linux BaseOS E4S (v. 8.0): Source: freetype-2.9.1-4.el8_0.1.src.rpm aarch64: freetype-2.9.1-4.el8_0.1.aarch64.rpm freetype-debuginfo-2.9.1-4.el8_0.1.aarch64.rpm freetype-debugsource-2.9.1-4.el8_0.1.aarch64.rpm freetype-demos-debuginfo-2.9.1-4.el8_0.1.aarch64.rpm freetype-devel-2.9.1-4.el8_0.1.aarch64.rpm ppc64le: freetype-2.9.1-4.el8_0.1.ppc64le.rpm freetype-debuginfo-2.9.1-4.el8_0.1.ppc64le.rpm freetype-debugsource-2.9.1-4.el8_0.1.ppc64le.rpm freetype-demos-debuginfo-2.9.1-4.el8_0.1.ppc64le.rpm freetype-devel-2.9.1-4.el8_0.1.ppc64le.rpm s390x: freetype-2.9.1-4.el8_0.1.s390x.rpm freetype-debuginfo-2.9.1-4.el8_0.1.s390x.rpm freetype-debugsource-2.9.1-4.el8_0.1.s390x.rpm freetype-demos-debuginfo-2.9.1-4.el8_0.1.s390x.rpm freetype-devel-2.9.1-4.el8_0.1.s390x.rpm x86_64: freetype-2.9.1-4.el8_0.1.i686.rpm freetype-2.9.1-4.el8_0.1.x86_64.rpm freetype-debuginfo-2.9.1-4.el8_0.1.i686.rpm freetype-debuginfo-2.9.1-4.el8_0.1.x86_64.rpm freetype-debugsource-2.9.1-4.el8_0.1.i686.rpm freetype-debugsource-2.9.1-4.el8_0.1.x86_64.rpm freetype-demos-debuginfo-2.9.1-4.el8_0.1.i686.rpm freetype-demos-debuginfo-2.9.1-4.el8_0.1.x86_64.rpm freetype-devel-2.9.1-4.el8_0.1.i686.rpm freetype-devel-2.9.1-4.el8_0.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-15999 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX6O6ctzjgjWX9erEAQgS2A/9G8QX5yA4d7+Jr7FyatfEDTE/ghgve73n rzmmYjyLenaJEXEJ03Be7stEVOn3Q4dawexrvI6vjxUJLoHoAKP7xIr0AgAfFlgc QuLHJZAR/6gE8sV67I0gU6smWvUpPhSFHHzexN7Dpqwhy0Tkj1Xtq6l0j5IIuvfi oiISKJ7hLeArjlrI9Z0GrdfFAiA2QOcW+dgfEyI63SeXtN15qVYk7QUhnQgS9R6w +boLYOB3zFt5BPlLRMfYaJZDGJzHeTkVqjL94gMGVjkh20/6dcidUFEts3Y7/eNQ D3rBF4yKoX95HbKQ3ATJqBmQD9Wch4OiPMLU2b9QRjE8Zv5agBlqrWW4fQFsNb1A J/Zdx5Eruc6GIg3TL9B9Wto9pmKiD3JuYZAwjQERcJ4TxPYkYShBQxl+atdS7kr9 wmGjwJlS8PXKvrFcmPofNBn+5zspkYcmXLB5xdBWTBV4X8/aaxxwXGvi/MpRz5OR ASBOpzCn+l+onnjLKnKi4Ha05Q+e5bgrDeOVlIchHKyw1Y16fqNsKH7ta63quHB6 UQLgemeoKWZKlTwqghxaBEdZR5UH4d14dimK16JyNYpo77LpPU0JDFcRFYkUaqt8 GGyu061V3w1TIs6uJw11fTVKKVCG0nFQeIdRajpHiFcq7oMKFX+A5lqosDNuihM6 Zgn1EBrthvM= =tJ94 - -----END PGP SIGNATURE----- - ---------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: freetype security update Advisory ID: RHSA-2020:4950-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:4950 Issue date: 2020-11-05 CVE Names: CVE-2020-15999 ===================================================================== 1. Summary: An update for freetype is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux BaseOS EUS (v. 8.1) - aarch64, ppc64le, s390x, x86_64 3. Description: FreeType is a free, high-quality, portable font engine that can open and manage font files. FreeType loads, hints, and renders individual glyphs efficiently. Security Fix(es): * freetype: Heap-based buffer overflow due to integer truncation in Load_SBit_Png (CVE-2020-15999) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 The X server must be restarted (log out, then log back in) for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1890210 - CVE-2020-15999 freetype: Heap-based buffer overflow due to integer truncation in Load_SBit_Png 6. Package List: Red Hat Enterprise Linux BaseOS EUS (v. 8.1): Source: freetype-2.9.1-4.el8_1.1.src.rpm aarch64: freetype-2.9.1-4.el8_1.1.aarch64.rpm freetype-debuginfo-2.9.1-4.el8_1.1.aarch64.rpm freetype-debugsource-2.9.1-4.el8_1.1.aarch64.rpm freetype-demos-debuginfo-2.9.1-4.el8_1.1.aarch64.rpm freetype-devel-2.9.1-4.el8_1.1.aarch64.rpm ppc64le: freetype-2.9.1-4.el8_1.1.ppc64le.rpm freetype-debuginfo-2.9.1-4.el8_1.1.ppc64le.rpm freetype-debugsource-2.9.1-4.el8_1.1.ppc64le.rpm freetype-demos-debuginfo-2.9.1-4.el8_1.1.ppc64le.rpm freetype-devel-2.9.1-4.el8_1.1.ppc64le.rpm s390x: freetype-2.9.1-4.el8_1.1.s390x.rpm freetype-debuginfo-2.9.1-4.el8_1.1.s390x.rpm freetype-debugsource-2.9.1-4.el8_1.1.s390x.rpm freetype-demos-debuginfo-2.9.1-4.el8_1.1.s390x.rpm freetype-devel-2.9.1-4.el8_1.1.s390x.rpm x86_64: freetype-2.9.1-4.el8_1.1.i686.rpm freetype-2.9.1-4.el8_1.1.x86_64.rpm freetype-debuginfo-2.9.1-4.el8_1.1.i686.rpm freetype-debuginfo-2.9.1-4.el8_1.1.x86_64.rpm freetype-debugsource-2.9.1-4.el8_1.1.i686.rpm freetype-debugsource-2.9.1-4.el8_1.1.x86_64.rpm freetype-demos-debuginfo-2.9.1-4.el8_1.1.i686.rpm freetype-demos-debuginfo-2.9.1-4.el8_1.1.x86_64.rpm freetype-devel-2.9.1-4.el8_1.1.i686.rpm freetype-devel-2.9.1-4.el8_1.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-15999 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX6O8FtzjgjWX9erEAQjKaA/+NUwgYZdcH7kluqwHxEPLjY+BO81lAVzQ jzsKSsYNKMyBqGlBnHV+kS5dARoukU7xHif8wlOF/hXiezz0V6QrcApp8bmdp49A KYeDqsvPm9r5e6/otrfRJAZAV/dQvQkoRgB44B17wqCngNnpJEZopHJZqOpx+wM9 zbssLIMvFdOmlzSkKxOUGoEgixPAeK36SOns3OvoeXtwFHblyO4ILEPYojWiS6/l bcqkEvSY7qSssCY2qyNooUpiwjaoOy84dgLYxWbYl+iftXvKhP7yVEhUPpgw0o/A cPKR43pNOpXI+dXFAGYyyHq76F6XwDu2LCq51fYSNZs9B1OsVhlaiCL0NDnMyF/p fj1MxlpumDql7VQFC4fhiPpCiZRd9gGNrSC6SB34YUfzVfp92BUtn5LgU6GZiEn2 6ppEC+9o5J1JKOotd2zA/loFmRGVmwAWSvDs2ZaAGqMZMWsANntwEeOXdFcpwGVr OWm2640mwrtqAGCB4D5HE0ywVFrKiPsppA0dSVloJUQlUji+umxfJnadtiOYw89i X4fsotT1DxcjpFCzUe6FjgssFPHwa0hftaWtZ7mbm4yZd6grW44IKcOdoTRsR4rj RECTyKaLwjhqmS2E3wtKqJnatULU1w81Mlr3LsLpwPaBd1uqIrSsKQCMIqbw1O1J +PqkAXI9PFI= =Ri+b - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: freetype security update Advisory ID: RHSA-2020:4951-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:4951 Issue date: 2020-11-05 CVE Names: CVE-2020-15999 ===================================================================== 1. Summary: An update for freetype is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux BaseOS EUS (v. 8.2) - aarch64, ppc64le, s390x, x86_64 3. Description: FreeType is a free, high-quality, portable font engine that can open and manage font files. FreeType loads, hints, and renders individual glyphs efficiently. Security Fix(es): * freetype: Heap-based buffer overflow due to integer truncation in Load_SBit_Png (CVE-2020-15999) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 The X server must be restarted (log out, then log back in) for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1890210 - CVE-2020-15999 freetype: Heap-based buffer overflow due to integer truncation in Load_SBit_Png 6. Package List: Red Hat Enterprise Linux BaseOS EUS (v. 8.2): Source: freetype-2.9.1-4.el8_2.1.src.rpm aarch64: freetype-2.9.1-4.el8_2.1.aarch64.rpm freetype-debuginfo-2.9.1-4.el8_2.1.aarch64.rpm freetype-debugsource-2.9.1-4.el8_2.1.aarch64.rpm freetype-demos-debuginfo-2.9.1-4.el8_2.1.aarch64.rpm freetype-devel-2.9.1-4.el8_2.1.aarch64.rpm ppc64le: freetype-2.9.1-4.el8_2.1.ppc64le.rpm freetype-debuginfo-2.9.1-4.el8_2.1.ppc64le.rpm freetype-debugsource-2.9.1-4.el8_2.1.ppc64le.rpm freetype-demos-debuginfo-2.9.1-4.el8_2.1.ppc64le.rpm freetype-devel-2.9.1-4.el8_2.1.ppc64le.rpm s390x: freetype-2.9.1-4.el8_2.1.s390x.rpm freetype-debuginfo-2.9.1-4.el8_2.1.s390x.rpm freetype-debugsource-2.9.1-4.el8_2.1.s390x.rpm freetype-demos-debuginfo-2.9.1-4.el8_2.1.s390x.rpm freetype-devel-2.9.1-4.el8_2.1.s390x.rpm x86_64: freetype-2.9.1-4.el8_2.1.i686.rpm freetype-2.9.1-4.el8_2.1.x86_64.rpm freetype-debuginfo-2.9.1-4.el8_2.1.i686.rpm freetype-debuginfo-2.9.1-4.el8_2.1.x86_64.rpm freetype-debugsource-2.9.1-4.el8_2.1.i686.rpm freetype-debugsource-2.9.1-4.el8_2.1.x86_64.rpm freetype-demos-debuginfo-2.9.1-4.el8_2.1.i686.rpm freetype-demos-debuginfo-2.9.1-4.el8_2.1.x86_64.rpm freetype-devel-2.9.1-4.el8_2.1.i686.rpm freetype-devel-2.9.1-4.el8_2.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-15999 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX6O+qtzjgjWX9erEAQh4uQ/+I5Te5vQFvk2BHphKIf7G8fmiuWQldj/9 GG+Z7FGjMCvfh5aeW2GlJ2bhwKZ/WLqzzpumsyPIkGAM90Ha2mbqKho6/TLuVzEj IMyAgXtKSnkgyEZVjkhUpSiJMoHtuMKESU4Q91HyNDpbxs7bX/2xlX0SIqz0IziX 9RNu4sqtKdv/4aVMRp2OoAK7jwF56Aw0/GMrLe4rmzhcBS3kT6qd87a/IEIr7VFi 6/9zUWW1CjscgtpwKS/WACRlWFZds95BRSE4NPOrehj43h9y7opMTZYnNUyaXwaG k9xoEherA5FKkBORaqanl3dK0bVSE8FoUA2QEOATebF22A7iBDw3wvZc+g9upCa8 xvzUKwWh0P/0m3h5cphK8f38uhDZMx2oMWyhm7PLYb77fZ+uGJmEytQb+N9ip+8m ynHXvn8CbEr6D8iEWbdrNlAOu22W/Alm6VUeg6YbYyqkHBs0TzGQ9Pp4X+Q9mjAv oHghhgt4be0OET2Ov4bQV0GIhWIoFQ0dIYOwDr28fWygko1VnW/0u5jTutPNeVtU lFRRSpGU0q8F4CubiPbogBUH+elgiRLKd8W+548gPGvRnwaFU/sJfllnDzCz+3JY 020BYN3v9+A+VAwm1p67kDBv5HD2cC27b4fE1ia8KkF0to11/mgOCN9qjzlEk+6f wZYEJdWmhvY= =52X6 - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: freetype security update Advisory ID: RHSA-2020:4952-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:4952 Issue date: 2020-11-05 CVE Names: CVE-2020-15999 ===================================================================== 1. Summary: An update for freetype is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, ppc64le, s390x, x86_64 3. Description: FreeType is a free, high-quality, portable font engine that can open and manage font files. FreeType loads, hints, and renders individual glyphs efficiently. Security Fix(es): * freetype: Heap-based buffer overflow due to integer truncation in Load_SBit_Png (CVE-2020-15999) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 The X server must be restarted (log out, then log back in) for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1890210 - CVE-2020-15999 freetype: Heap-based buffer overflow due to integer truncation in Load_SBit_Png 6. Package List: Red Hat Enterprise Linux BaseOS (v. 8): Source: freetype-2.9.1-4.el8_3.1.src.rpm aarch64: freetype-2.9.1-4.el8_3.1.aarch64.rpm freetype-debuginfo-2.9.1-4.el8_3.1.aarch64.rpm freetype-debugsource-2.9.1-4.el8_3.1.aarch64.rpm freetype-demos-debuginfo-2.9.1-4.el8_3.1.aarch64.rpm freetype-devel-2.9.1-4.el8_3.1.aarch64.rpm ppc64le: freetype-2.9.1-4.el8_3.1.ppc64le.rpm freetype-debuginfo-2.9.1-4.el8_3.1.ppc64le.rpm freetype-debugsource-2.9.1-4.el8_3.1.ppc64le.rpm freetype-demos-debuginfo-2.9.1-4.el8_3.1.ppc64le.rpm freetype-devel-2.9.1-4.el8_3.1.ppc64le.rpm s390x: freetype-2.9.1-4.el8_3.1.s390x.rpm freetype-debuginfo-2.9.1-4.el8_3.1.s390x.rpm freetype-debugsource-2.9.1-4.el8_3.1.s390x.rpm freetype-demos-debuginfo-2.9.1-4.el8_3.1.s390x.rpm freetype-devel-2.9.1-4.el8_3.1.s390x.rpm x86_64: freetype-2.9.1-4.el8_3.1.i686.rpm freetype-2.9.1-4.el8_3.1.x86_64.rpm freetype-debuginfo-2.9.1-4.el8_3.1.i686.rpm freetype-debuginfo-2.9.1-4.el8_3.1.x86_64.rpm freetype-debugsource-2.9.1-4.el8_3.1.i686.rpm freetype-debugsource-2.9.1-4.el8_3.1.x86_64.rpm freetype-demos-debuginfo-2.9.1-4.el8_3.1.i686.rpm freetype-demos-debuginfo-2.9.1-4.el8_3.1.x86_64.rpm freetype-devel-2.9.1-4.el8_3.1.i686.rpm freetype-devel-2.9.1-4.el8_3.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-15999 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX6O9QtzjgjWX9erEAQhFZA//ZTgqULDu7BZqUg8guPHgUDccnU73QtE9 uajiXmfKy3WW8/mMzrXmPEAekOtWWBCLp0HG9p8oNSPo3yA5nBWUfoNm5MPmAOna 8jRktLiVnOSb0CNP27ahUqJ27Hd2N5uAcXiLwSzjxTsbv8wSi/aZe5Rg9oR3emUC C2hWihjzWXg7MdXp4NGx3lHsghvhFe9AJwpqaZUpyNeIt02RyIWKe62uMyhgNGzr hC9YawNOREshYwvKSdHZoepsXqocBsuPhiAKDepWhCrfvNRPIBJed/RjWGSoQpsr lMATUoHb9lRhee8oUXO8xFCzuXkfCX2MtCMw+hF0SWxY3+0+FReiqhLnRwI7ZSXO oW6Fiz65TJpDaXDd7+vMWeX19/qEsUkWPCWy1MePqQPMCwS1XjaSb9iGxQ9IeAeX 0cIv2+sxip+PDtVpdGffXs1CERbhIOd3orkXiSBLJ8dzYbtYE8g3/bzMf9zoroMw CIHbetMhWLcNn3qQ1rWLZRngu1hEwfgqaKrflmHfZTADZqxJnb0jC4Exrm7CYasY yCbnroZA++ElCf3MsioauBXFeQ8fc5sS94Q5b9jJBbHMcF3Isz05uiqGeLNmSMsJ Imvuvz0TSTEQIrfT32L3pxjxa+nodEey0jYbNOVnH2MYEzAPm/FZ4eSTpNkrafDd RGEqGdYWDr4= =Iu5D - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX6R9buNLKJtyKPYoAQhS/hAAoiZpOCBMjgzAtUTg9/9qEl5/3CUf7VpC qZwMbtKZ90uAKC6PnMgZ89kCTVqU/SSnbTn2PK77cAJ+ror6GMMWQ3REA2hVlN5D 4MD7FgxnEfzYJuim/S7xKyeWPEidtnDxEWYFiDjHDQNWKamWg2Hxw9K/PoW/Bydk NAcK9NuxlaoSjVMRrNJfEP9GxV40CsTIxKpSiAcNxK6AkuOCIWQe3AIMALkEXmb7 FQKCOx7YdchxL4E5VSyVhl6rXPe12TANKpLDmcIZtOTDJ9IFszmpIfAV2opy58cV UzpJ1RgsUqqKzh8ihOQoO2VRljr+NpFGagJP7YiUn1+clh2dS64K1ZzXQ12LaY8k aihVsig93RS8E0rvMEyuNWpN6JL+sqd/hlOIDt84ycfhY4Odo4dOgYn2TAsEDa1L WlbmqBy9TuZKFklQgaggmDaJMUYCOyE8sEtC482zjoTcZ90+I4wYUPEHT+wU1OG9 rw3U7MfBLdekhcOQ2gH5HRYcO73NQLzLOW3M/enDGR2S2eTUH3S7fgyrtifnveSG zq46y9AbS5c/HzQxxtaTnxbMc0GAPcQ5DEXQv2++AJ0bWtAIAtP7G7hg1L+fsIWa 8U8HxOA5lonZRt2IY0nPgUNMUgxqOP1zlmqPVy01HAk+LtXD7jg/UzH+vrgjlKOZ C+owcvK+hms= =7nDW -----END PGP SIGNATURE-----