Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.1401 gst plugins security update 26 April 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: gst-plugins-good1.0 gst-libav1.0 gst-plugins-bad1.0 gst-plugins-base1.0 gst-plugins-ugly1.0 Publisher: Debian Operating System: Debian GNU/Linux UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Unknown/Unspecified Denial of Service -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2021-3498 CVE-2021-3497 Original Bulletin: http://www.debian.org/security/2021/dsa-4900 http://www.debian.org/security/2021/dsa-4901 http://www.debian.org/security/2021/dsa-4902 http://www.debian.org/security/2021/dsa-4903 http://www.debian.org/security/2021/dsa-4904 Comment: This bulletin contains five (5) Debian security advisories. This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running gst-plugins-good1.0 check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4900-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 24, 2021 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : gst-plugins-good1.0 CVE ID : CVE-2021-3497 CVE-2021-3498 Debian Bug : 986910 986911 Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened. For the stable distribution (buster), these problems have been fixed in version 1.14.4-1+deb10u1. We recommend that you upgrade your gst-plugins-good1.0 packages. For the detailed security status of gst-plugins-good1.0 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gst-plugins-good1.0 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmCEWIcACgkQEMKTtsN8 TjbW8w//a6Dd89UeOr11s1KBa/kzGCk8556jYBzjUAWVz1zsRMlS+hrhA+pIGSOw oohu5FjbeRgBf+aQ4Yt/hqmoE/YK55pvpS/PYRqcrwN+GB6BOvIWtTNGBKk+PBYQ 3yYSs6yIoJYsQuBK6Mx3scOb4zlvYMocC8uLa3m+DyUatyUzeOr8pexanS2asg51 FLSpdYD68/uNwRzsb3WdnzdksOavvwBxj+BJBPtQgXlKczebrKQfwYuWDPfLrTQ8 qG+PqLdtEe5WE0dkkGgRS0JPWtRy1IqT2zwoevVbCt833eXLYzub5LPJubjw1z8s 5m6/G1u6waeLPCDyrOb+ytWpM0792abFbnONN8vqXb3Qym96HHtX9v6zL39khUvb s5aSwVHGllPMcLp3n5KdOLoF3dmfh8pjbjqYra91ER4iC/69ETcnBAj19EoaeOMv l3GKpaOG+7M7m3uVPs+tuktnxdO66zhz0Q34uUCkz2QUY5IDm69ItLf+/Nlr7pmo kbTsyET8sVexvleusvagrPfnxDYgisKf4FLFSh2kcX84qY/oIMy3+TLFBRoYtrfk +kFyrC9zBJ6ypRF73jfMADjmzQAAtGF0KRhYVRz+J4FFxIdFsJKFoD9VQOGgeo/1 ozhUqZlxaqcjmjjKKn9sN0jh+6dDazfSWth6+f0DvmY49sOwf64= =o26I - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4901-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 24, 2021 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : gst-libav1.0 CVE ID : not yet available Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened. For the stable distribution (buster), this problem has been fixed in version 1.15.0.1+git20180723+db823502-2+deb10u1. We recommend that you upgrade your gst-libav1.0 packages. For the detailed security status of gst-libav1.0 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gst-libav1.0 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmCEWIkACgkQEMKTtsN8 Tja1wRAApaFYfJxyCR46nV/MBRUsGlShmGs9FfGhaeNC0O91RkIX/bU+HX0hsCVc 2CE2LPBDtrEFfe7O1rtOSdS6Ip0FyRuYCCYe7bx1/4AgRLkYWc/j/NklMp39UjxM wQmKQGMNqTqD8ktuP/Kuh6ZNuCeAQg3UGXlJ+DXz9UpY9jNUTG80SxvRFo3Drbv9 KteNp98fG5KB4GFZ8T4RjWClZVEUdYBMcoa8vie9rfozR0a3EmLZA9qYHffaJA1t OMyYEluJuol57U78jFd6A2wKsrD0XnmD6Lmf+gDQ0NdF+lNqigV2bGJ09gbP49KG VJybMiaor9jQbxa4Cq21gofZ75rGinSRsEs8yITTBOu23r1cFR68+nRxfzzjZHhc 6OTs/LBSJiA3PuDTNbRZQ17dpQp1KfgVQ51KzYtuD9dhSNUG3ZRBDK4MX/gcQOA1 jX442mpIUxf2la3J1wadIeHeTb6XixvIsUN58l07LA8HEY+ElxS+xd/x/AXyN4Fu MF/AqjSP6lKn64eLBsNsOQmo2oHEH17tCZhCEuRAArQtkWYZ7MnpKcp/w6iXj36N 1wkIb0ib6cEPhNemUi1AXlY9cOkt+aicmzvxNaJjwwCWnyGBoI90njzBDsavbmbY VywLOrXW4v/y3pvUW1m8QgSJ2/tyaLKK+MgpoP6YIt7aO63fiZ0= =cK2V - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4902-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 24, 2021 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : gst-plugins-bad1.0 CVE ID : not yet available Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened. For the stable distribution (buster), this problem has been fixed in version 1.14.4-1+deb10u2. We recommend that you upgrade your gst-plugins-bad1.0 packages. For the detailed security status of gst-plugins-bad1.0 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gst-plugins-bad1.0 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmCEWIsACgkQEMKTtsN8 Tjbfcg/9G18OmmDDgbM1NF73LOM2+TT/x3fXNPU1va+URzBNCkpcSe3quA6rBhzJ it5N41V5Zz7cWC6wahwZLIZWMNhqk8D56gM5Xv19cZPFGEnwrvbXrWzukNRW65M7 e2TY/ZFU4U+AOZEEqrgIrqczXaS/xK/iJ/WUEx0mgmfaQPRCNWQ+R8DHpv+Xcf49 cC0onn1gD4g27O02Fz93JRL3XJ5KvSNNoKDguk9ZiE0vHW7BOvpURFrMrR/DADoK jbQn8DiMI8tfD086Ws16fLbddNqdDE4n5QXZcPVnz0zZo/HN/7L+zTEMS20mediK jD+tmeAj4O5cTXcEhm6XsrISI52hsPs3t/qFFXQTjE8sfE/Ra2DMwq6PQY3oln3g amASe/cK9cSaEPKsBYLGf2uOnj2QM7oZRM+sh4N+9M9MF/wdwJFFmYp4kFGMgTW6 Jmwa9njIxA7U7CHtdl5Kp+K6fcsoKeEU71ssYEjxM/qz33wWmhdi1xPNxCvAGYRy 1+GpLSF6M+U09Z6bX+cj4EFsHAwwQwlshw2fn7YkP43xQPZ77beJ4JbZaxBUBkBQ 0wA2TnWlllerJK9zZonH7/hv2Gsbga5s2Ivzrn0i2+p2IB3QUfKYVL7XpCkcahpL Q6aS9JzA/1SMpWKPWWZEtqARGzeURDgSncRj+LOo9OISqSiC00A= =mons - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4903-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 24, 2021 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : gst-plugins-base1.0 CVE ID : not yet available Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened. For the stable distribution (buster), this problem has been fixed in version 1.14.4-2+deb10u1. We recommend that you upgrade your gst-plugins-base1.0 packages. For the detailed security status of gst-plugins-base1.0 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gst-plugins-base1.0 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmCEWI0ACgkQEMKTtsN8 Tja79A//fg7U026ajaNK8Sm7C3IJ/cODOjiR7YzP3An8cSSVqUnS4hpOzyQADvus Kv1MwhoLHvT5ooG4y8aHmBf6cMHc/08xlpZYwxpaQv26EETtNOsUbBrOc3U8EPwW K39PLa/aTVr6x/W10POg3MjWR7/FNLWgzu3jpplp6KFHtlUc/KiunrSIhbdB5wU4 y3cm2l11gY5yi4eqFe//3zmR5CrwJdShM7zq+62xKpdJX4sx0qnMUUCpCb8PlPTA ZXasvg3ImPoQMoaONxB0pfExwQ5Gu/Tf5yVW14notWe0mFsKsgTOfiwA+ufmhi+4 l6Z6K7LKmsHSr+DNbEjfO2gnF5BfSauXrGhgz+k1EmBTxwThP689Wj7n0bfkB2kZ a9gh4hXo0zka7R10cUjhyCU8bY7J7SuO/BAv/FfsdniRHj7hPA6JJIZflsuLRWgi a08b48j1FSPKqIoimgixGjPns8fnqWOC0a+rCk4k+rKu+jDBQy00+oQXI3IpYHD5 f0YrEOieQNlViv70ajWZzyUzxXEPwzsuz8dfMjBXR1p5mMY2AmBZdBmnwSB6KTB/ voRp7KG5LLiRQCuJe77CqqW1+rxCRTuZwaW5n54JGbX7qyixTVr1xJT7z0sqjEmY +cpMwU+mZZNS+hmfO7xleIvx3hbvzCJbcI0jik8yTiV+1OLKuTA= =TU+u - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4904-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 24, 2021 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : gst-plugins-ugly1.0 CVE ID : not yet available Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened. For the stable distribution (buster), this problem has been fixed in version 1.14.4-1+deb10u1. We recommend that you upgrade your gst-plugins-ugly1.0 packages. For the detailed security status of gst-plugins-ugly1.0 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gst-plugins-ugly1.0 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmCEWI8ACgkQEMKTtsN8 TjZ+JBAArLyoBXnX0qMaEMwNNMQENqxQZQL1gfFW+RbUcMal4LQIRTqdwliqMHTO 9dGEV58hg1yH/4Xja/hKSCTieNvTRLVWGWxIgQ5y2HazBPhmKQdf6ERFGRCqHG3g SsN01jFgA5yS6/14rDDydO/DDTFR/R+YvS+RQySSJ69P/VqOpc8keb1pHpUxktwG LfnJ+09JyzZcw1r1VmioJt1UJVSy7e/OzN3hZ/AADiZfZxPJX8zE6rGzaMxk7nlk dCdh4THXa77ha/CSTIc+kZBoh4GM6BUYtFD2glpvYArNCB39ik/3mG7P8cho6sFg K0/VYI13tlpzuCU6rFwdJipw4PU3IWqXd3Rc+y8XvC0J/SFgHizyThMK7H8HwYCd rA71Y7uLElpu50TXoxNPPusYsFT9Ps6PEgn4IcmmDZR0dMRNNFHz16Qrz3FoAoEI oOZzwRqMoJVy2TqKpOYU9CuxLJ5UVs96yflNrMxpGvFB2AmyDNSkZ3/UqTVhiJcv hUS4fOleDu38/v3bpAMcpqEgsPSYwFWtoe3XpESB6BxzamkaO1KVqR0qQ0cIkRQW rSXAtz47YA3ykGSpHN9Al8PLFm80OuakGEhUS/2z0Fe8xoUI7csM4XanpIcQoX08 mHTsevGVrQyi9rHRXsxWAvtMUNTiEoizrHHmPeUu3dO/eZADKwo= =s9Jz - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYIZi7eNLKJtyKPYoAQjnrw//TMSBhwnckoH6UBDKhuWhWXMaqm8bP+ek C+1KXio9S8cieXpabSFX9PYvFruwiGdQTjAAzhf179sWZw4W7KQ7bpKZH0p3HSZE 8Sx7FfXdyxIGvwc34jfLz48lSxshx9rE4M4S/nvF4T0N7/ZFYpFA/jDjjko/wJxg kTxXbu9J0bLSTp28QG8ndfM6gWGmVqCukWgpK80MpM4u2q9fD1RcL8bcjiRgmUIr oHDn1GUJHpyVY3zy/dmJXBCt0Iv9kKm2SiPh+PlPDV3kt4CfyziXR+MQSo55hLun MvIlalDtqOIGnbT6bUvsH7yM6CARyQ1TwjcLdxDdNgRZOOtINeDKpKwf7mFkEkI4 CHDaZdmuXlfj3Cy5W3E4ZX8bRxFfaMCS4J4QAy5g4NQK+y2RH2NG6keznZSW0XC6 tSITlE0vX/NaXPdNUQrfjiS88ChbnIQOgkoF4UvFg5NMsb+6WB6P2i8anBsHbe0x 0VF5xX2yJTkiJJ+FmTrAxSYosxoeIA52CImWHqIhF1brXefwiu8CY0dAnv5xJmOq SkLyT7iQ6Nz0BsbTQXUNGdBA9RIDbu8tNhkoNNtWbScF9p/aYuMpu6tm2G1q8C1m BaxMlOuBJGrDB6aE6DGacQo70sCy7VyTrCejqa8prNBj8V0Y+YiYhErE4WXZFJWq /RYrvfxJ6U4= =thcP -----END PGP SIGNATURE-----