-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.1401
                        gst plugins security update
                               26 April 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           gst-plugins-good1.0
                   gst-libav1.0
                   gst-plugins-bad1.0
                   gst-plugins-base1.0
                   gst-plugins-ugly1.0
Publisher:         Debian
Operating System:  Debian GNU/Linux
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Unknown/Unspecified
                   Denial of Service               -- Unknown/Unspecified
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-3498 CVE-2021-3497 

Original Bulletin: 
   http://www.debian.org/security/2021/dsa-4900
   http://www.debian.org/security/2021/dsa-4901
   http://www.debian.org/security/2021/dsa-4902
   http://www.debian.org/security/2021/dsa-4903
   http://www.debian.org/security/2021/dsa-4904

Comment: This bulletin contains five (5) Debian security advisories.
         
         This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running gst-plugins-good1.0 check for an updated version of the 
         software for their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4900-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 24, 2021                        https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : gst-plugins-good1.0
CVE ID         : CVE-2021-3497 CVE-2021-3498
Debian Bug     : 986910 986911

Multiple vulnerabilities were discovered in plugins for the GStreamer
media framework, which may result in denial of service or potentially
the execution of arbitrary code if a malformed media file is opened.

For the stable distribution (buster), these problems have been fixed in
version 1.14.4-1+deb10u1.

We recommend that you upgrade your gst-plugins-good1.0 packages.

For the detailed security status of gst-plugins-good1.0 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gst-plugins-good1.0

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmCEWIcACgkQEMKTtsN8
TjbW8w//a6Dd89UeOr11s1KBa/kzGCk8556jYBzjUAWVz1zsRMlS+hrhA+pIGSOw
oohu5FjbeRgBf+aQ4Yt/hqmoE/YK55pvpS/PYRqcrwN+GB6BOvIWtTNGBKk+PBYQ
3yYSs6yIoJYsQuBK6Mx3scOb4zlvYMocC8uLa3m+DyUatyUzeOr8pexanS2asg51
FLSpdYD68/uNwRzsb3WdnzdksOavvwBxj+BJBPtQgXlKczebrKQfwYuWDPfLrTQ8
qG+PqLdtEe5WE0dkkGgRS0JPWtRy1IqT2zwoevVbCt833eXLYzub5LPJubjw1z8s
5m6/G1u6waeLPCDyrOb+ytWpM0792abFbnONN8vqXb3Qym96HHtX9v6zL39khUvb
s5aSwVHGllPMcLp3n5KdOLoF3dmfh8pjbjqYra91ER4iC/69ETcnBAj19EoaeOMv
l3GKpaOG+7M7m3uVPs+tuktnxdO66zhz0Q34uUCkz2QUY5IDm69ItLf+/Nlr7pmo
kbTsyET8sVexvleusvagrPfnxDYgisKf4FLFSh2kcX84qY/oIMy3+TLFBRoYtrfk
+kFyrC9zBJ6ypRF73jfMADjmzQAAtGF0KRhYVRz+J4FFxIdFsJKFoD9VQOGgeo/1
ozhUqZlxaqcjmjjKKn9sN0jh+6dDazfSWth6+f0DvmY49sOwf64=
=o26I
- -----END PGP SIGNATURE-----


- --------------------------------------------------------------------------------


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4901-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 24, 2021                        https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : gst-libav1.0
CVE ID         : not yet available

Multiple vulnerabilities were discovered in plugins for the GStreamer
media framework, which may result in denial of service or potentially
the execution of arbitrary code if a malformed media file is opened.
      
For the stable distribution (buster), this problem has been fixed in
version 1.15.0.1+git20180723+db823502-2+deb10u1.

We recommend that you upgrade your gst-libav1.0 packages.

For the detailed security status of gst-libav1.0 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gst-libav1.0

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmCEWIkACgkQEMKTtsN8
Tja1wRAApaFYfJxyCR46nV/MBRUsGlShmGs9FfGhaeNC0O91RkIX/bU+HX0hsCVc
2CE2LPBDtrEFfe7O1rtOSdS6Ip0FyRuYCCYe7bx1/4AgRLkYWc/j/NklMp39UjxM
wQmKQGMNqTqD8ktuP/Kuh6ZNuCeAQg3UGXlJ+DXz9UpY9jNUTG80SxvRFo3Drbv9
KteNp98fG5KB4GFZ8T4RjWClZVEUdYBMcoa8vie9rfozR0a3EmLZA9qYHffaJA1t
OMyYEluJuol57U78jFd6A2wKsrD0XnmD6Lmf+gDQ0NdF+lNqigV2bGJ09gbP49KG
VJybMiaor9jQbxa4Cq21gofZ75rGinSRsEs8yITTBOu23r1cFR68+nRxfzzjZHhc
6OTs/LBSJiA3PuDTNbRZQ17dpQp1KfgVQ51KzYtuD9dhSNUG3ZRBDK4MX/gcQOA1
jX442mpIUxf2la3J1wadIeHeTb6XixvIsUN58l07LA8HEY+ElxS+xd/x/AXyN4Fu
MF/AqjSP6lKn64eLBsNsOQmo2oHEH17tCZhCEuRAArQtkWYZ7MnpKcp/w6iXj36N
1wkIb0ib6cEPhNemUi1AXlY9cOkt+aicmzvxNaJjwwCWnyGBoI90njzBDsavbmbY
VywLOrXW4v/y3pvUW1m8QgSJ2/tyaLKK+MgpoP6YIt7aO63fiZ0=
=cK2V
- -----END PGP SIGNATURE-----



- --------------------------------------------------------------------------------



- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4902-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 24, 2021                        https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : gst-plugins-bad1.0
CVE ID         : not yet available

Multiple vulnerabilities were discovered in plugins for the GStreamer
media framework, which may result in denial of service or potentially
the execution of arbitrary code if a malformed media file is opened.

For the stable distribution (buster), this problem has been fixed in
version 1.14.4-1+deb10u2.

We recommend that you upgrade your gst-plugins-bad1.0 packages.

For the detailed security status of gst-plugins-bad1.0 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gst-plugins-bad1.0

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmCEWIsACgkQEMKTtsN8
Tjbfcg/9G18OmmDDgbM1NF73LOM2+TT/x3fXNPU1va+URzBNCkpcSe3quA6rBhzJ
it5N41V5Zz7cWC6wahwZLIZWMNhqk8D56gM5Xv19cZPFGEnwrvbXrWzukNRW65M7
e2TY/ZFU4U+AOZEEqrgIrqczXaS/xK/iJ/WUEx0mgmfaQPRCNWQ+R8DHpv+Xcf49
cC0onn1gD4g27O02Fz93JRL3XJ5KvSNNoKDguk9ZiE0vHW7BOvpURFrMrR/DADoK
jbQn8DiMI8tfD086Ws16fLbddNqdDE4n5QXZcPVnz0zZo/HN/7L+zTEMS20mediK
jD+tmeAj4O5cTXcEhm6XsrISI52hsPs3t/qFFXQTjE8sfE/Ra2DMwq6PQY3oln3g
amASe/cK9cSaEPKsBYLGf2uOnj2QM7oZRM+sh4N+9M9MF/wdwJFFmYp4kFGMgTW6
Jmwa9njIxA7U7CHtdl5Kp+K6fcsoKeEU71ssYEjxM/qz33wWmhdi1xPNxCvAGYRy
1+GpLSF6M+U09Z6bX+cj4EFsHAwwQwlshw2fn7YkP43xQPZ77beJ4JbZaxBUBkBQ
0wA2TnWlllerJK9zZonH7/hv2Gsbga5s2Ivzrn0i2+p2IB3QUfKYVL7XpCkcahpL
Q6aS9JzA/1SMpWKPWWZEtqARGzeURDgSncRj+LOo9OISqSiC00A=
=mons
- -----END PGP SIGNATURE-----


- --------------------------------------------------------------------------------


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4903-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 24, 2021                        https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : gst-plugins-base1.0
CVE ID         : not yet available

Multiple vulnerabilities were discovered in plugins for the GStreamer
media framework, which may result in denial of service or potentially
the execution of arbitrary code if a malformed media file is opened.

For the stable distribution (buster), this problem has been fixed in
version 1.14.4-2+deb10u1.

We recommend that you upgrade your gst-plugins-base1.0 packages.

For the detailed security status of gst-plugins-base1.0 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gst-plugins-base1.0

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmCEWI0ACgkQEMKTtsN8
Tja79A//fg7U026ajaNK8Sm7C3IJ/cODOjiR7YzP3An8cSSVqUnS4hpOzyQADvus
Kv1MwhoLHvT5ooG4y8aHmBf6cMHc/08xlpZYwxpaQv26EETtNOsUbBrOc3U8EPwW
K39PLa/aTVr6x/W10POg3MjWR7/FNLWgzu3jpplp6KFHtlUc/KiunrSIhbdB5wU4
y3cm2l11gY5yi4eqFe//3zmR5CrwJdShM7zq+62xKpdJX4sx0qnMUUCpCb8PlPTA
ZXasvg3ImPoQMoaONxB0pfExwQ5Gu/Tf5yVW14notWe0mFsKsgTOfiwA+ufmhi+4
l6Z6K7LKmsHSr+DNbEjfO2gnF5BfSauXrGhgz+k1EmBTxwThP689Wj7n0bfkB2kZ
a9gh4hXo0zka7R10cUjhyCU8bY7J7SuO/BAv/FfsdniRHj7hPA6JJIZflsuLRWgi
a08b48j1FSPKqIoimgixGjPns8fnqWOC0a+rCk4k+rKu+jDBQy00+oQXI3IpYHD5
f0YrEOieQNlViv70ajWZzyUzxXEPwzsuz8dfMjBXR1p5mMY2AmBZdBmnwSB6KTB/
voRp7KG5LLiRQCuJe77CqqW1+rxCRTuZwaW5n54JGbX7qyixTVr1xJT7z0sqjEmY
+cpMwU+mZZNS+hmfO7xleIvx3hbvzCJbcI0jik8yTiV+1OLKuTA=
=TU+u
- -----END PGP SIGNATURE-----


- --------------------------------------------------------------------------------


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4904-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 24, 2021                        https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : gst-plugins-ugly1.0
CVE ID         : not yet available

Multiple vulnerabilities were discovered in plugins for the GStreamer
media framework, which may result in denial of service or potentially
the execution of arbitrary code if a malformed media file is opened.

For the stable distribution (buster), this problem has been fixed in
version 1.14.4-1+deb10u1.

We recommend that you upgrade your gst-plugins-ugly1.0 packages.

For the detailed security status of gst-plugins-ugly1.0 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gst-plugins-ugly1.0

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmCEWI8ACgkQEMKTtsN8
TjZ+JBAArLyoBXnX0qMaEMwNNMQENqxQZQL1gfFW+RbUcMal4LQIRTqdwliqMHTO
9dGEV58hg1yH/4Xja/hKSCTieNvTRLVWGWxIgQ5y2HazBPhmKQdf6ERFGRCqHG3g
SsN01jFgA5yS6/14rDDydO/DDTFR/R+YvS+RQySSJ69P/VqOpc8keb1pHpUxktwG
LfnJ+09JyzZcw1r1VmioJt1UJVSy7e/OzN3hZ/AADiZfZxPJX8zE6rGzaMxk7nlk
dCdh4THXa77ha/CSTIc+kZBoh4GM6BUYtFD2glpvYArNCB39ik/3mG7P8cho6sFg
K0/VYI13tlpzuCU6rFwdJipw4PU3IWqXd3Rc+y8XvC0J/SFgHizyThMK7H8HwYCd
rA71Y7uLElpu50TXoxNPPusYsFT9Ps6PEgn4IcmmDZR0dMRNNFHz16Qrz3FoAoEI
oOZzwRqMoJVy2TqKpOYU9CuxLJ5UVs96yflNrMxpGvFB2AmyDNSkZ3/UqTVhiJcv
hUS4fOleDu38/v3bpAMcpqEgsPSYwFWtoe3XpESB6BxzamkaO1KVqR0qQ0cIkRQW
rSXAtz47YA3ykGSpHN9Al8PLFm80OuakGEhUS/2z0Fe8xoUI7csM4XanpIcQoX08
mHTsevGVrQyi9rHRXsxWAvtMUNTiEoizrHHmPeUu3dO/eZADKwo=
=s9Jz
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYIZi7eNLKJtyKPYoAQjnrw//TMSBhwnckoH6UBDKhuWhWXMaqm8bP+ek
C+1KXio9S8cieXpabSFX9PYvFruwiGdQTjAAzhf179sWZw4W7KQ7bpKZH0p3HSZE
8Sx7FfXdyxIGvwc34jfLz48lSxshx9rE4M4S/nvF4T0N7/ZFYpFA/jDjjko/wJxg
kTxXbu9J0bLSTp28QG8ndfM6gWGmVqCukWgpK80MpM4u2q9fD1RcL8bcjiRgmUIr
oHDn1GUJHpyVY3zy/dmJXBCt0Iv9kKm2SiPh+PlPDV3kt4CfyziXR+MQSo55hLun
MvIlalDtqOIGnbT6bUvsH7yM6CARyQ1TwjcLdxDdNgRZOOtINeDKpKwf7mFkEkI4
CHDaZdmuXlfj3Cy5W3E4ZX8bRxFfaMCS4J4QAy5g4NQK+y2RH2NG6keznZSW0XC6
tSITlE0vX/NaXPdNUQrfjiS88ChbnIQOgkoF4UvFg5NMsb+6WB6P2i8anBsHbe0x
0VF5xX2yJTkiJJ+FmTrAxSYosxoeIA52CImWHqIhF1brXefwiu8CY0dAnv5xJmOq
SkLyT7iQ6Nz0BsbTQXUNGdBA9RIDbu8tNhkoNNtWbScF9p/aYuMpu6tm2G1q8C1m
BaxMlOuBJGrDB6aE6DGacQo70sCy7VyTrCejqa8prNBj8V0Y+YiYhErE4WXZFJWq
/RYrvfxJ6U4=
=thcP
-----END PGP SIGNATURE-----