Operating System:

[RedHat]

Published:

19 September 2023

Protect yourself against future threats.

//Service

Malicious URL Feed

Add this Australian-based feed to your firewall blacklist and SIEM to prevent compromises to your network.

Read more
Resources > Security Bulletins > ESB-2023.5316 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2023.5316
                          libwebp security update
                             19 September 2023

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           libwebp
Publisher:         Red Hat
Operating System:  Red Hat
Resolution:        Patch/Upgrade
CVE Names:         CVE-2023-4863  

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2023:5189

Comment: CVSS (Max):  9.6 CVE-2023-4863 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
         CVSS Source: Red Hat
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
         
         The following are listed in the CISA Known Exploited Vulnerabilities (KEV) Catalog:
         CISA KEV CVE(s): CVE-2023-4863
         CISA KEV URL: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: libwebp security update
Advisory ID:       RHSA-2023:5189-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:5189
Issue date:        2023-09-18
CVE Names:         CVE-2023-4863 
=====================================================================

1. Summary:

An update for libwebp is now available for Red Hat Enterprise Linux 8.6
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.8.6) - aarch64, ppc64le, s390x, x86_64

3. Description:

The libwebp packages provide a library and tools for the WebP graphics
format. WebP is an image format with a lossy compression of digital
photographic images. WebP consists of a codec based on the VP8 format, and
a container based on the Resource Interchange File Format (RIFF).
Webmasters, web developers and browser developers can use WebP to compress,
archive, and distribute digital images more efficiently.

Security Fix(es):

* libwebp: Heap buffer overflow in WebP Codec (CVE-2023-4863)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2238431 - CVE-2023-4863 libwebp: Heap buffer overflow in WebP Codec

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.6):

Source:
libwebp-1.0.0-7.el8_6.1.src.rpm

aarch64:
libwebp-1.0.0-7.el8_6.1.aarch64.rpm
libwebp-debuginfo-1.0.0-7.el8_6.1.aarch64.rpm
libwebp-debugsource-1.0.0-7.el8_6.1.aarch64.rpm
libwebp-devel-1.0.0-7.el8_6.1.aarch64.rpm
libwebp-java-debuginfo-1.0.0-7.el8_6.1.aarch64.rpm
libwebp-tools-debuginfo-1.0.0-7.el8_6.1.aarch64.rpm

ppc64le:
libwebp-1.0.0-7.el8_6.1.ppc64le.rpm
libwebp-debuginfo-1.0.0-7.el8_6.1.ppc64le.rpm
libwebp-debugsource-1.0.0-7.el8_6.1.ppc64le.rpm
libwebp-devel-1.0.0-7.el8_6.1.ppc64le.rpm
libwebp-java-debuginfo-1.0.0-7.el8_6.1.ppc64le.rpm
libwebp-tools-debuginfo-1.0.0-7.el8_6.1.ppc64le.rpm

s390x:
libwebp-1.0.0-7.el8_6.1.s390x.rpm
libwebp-debuginfo-1.0.0-7.el8_6.1.s390x.rpm
libwebp-debugsource-1.0.0-7.el8_6.1.s390x.rpm
libwebp-devel-1.0.0-7.el8_6.1.s390x.rpm
libwebp-java-debuginfo-1.0.0-7.el8_6.1.s390x.rpm
libwebp-tools-debuginfo-1.0.0-7.el8_6.1.s390x.rpm

x86_64:
libwebp-1.0.0-7.el8_6.1.i686.rpm
libwebp-1.0.0-7.el8_6.1.x86_64.rpm
libwebp-debuginfo-1.0.0-7.el8_6.1.i686.rpm
libwebp-debuginfo-1.0.0-7.el8_6.1.x86_64.rpm
libwebp-debugsource-1.0.0-7.el8_6.1.i686.rpm
libwebp-debugsource-1.0.0-7.el8_6.1.x86_64.rpm
libwebp-devel-1.0.0-7.el8_6.1.i686.rpm
libwebp-devel-1.0.0-7.el8_6.1.x86_64.rpm
libwebp-java-debuginfo-1.0.0-7.el8_6.1.i686.rpm
libwebp-java-debuginfo-1.0.0-7.el8_6.1.x86_64.rpm
libwebp-tools-debuginfo-1.0.0-7.el8_6.1.i686.rpm
libwebp-tools-debuginfo-1.0.0-7.el8_6.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-4863
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJlCGxxAAoJENzjgjWX9erEIdYP/R08j3b5sxGGW16Z52KxMP3n
ee4aPcf9PZ9J/if7h3WYGfor2/S0ew+rGY69V4BybuHgHpqM+Ps7CfIcC1hvurz9
FZVjbWheakkTbY2ttdadmGWLb74dCxZv7esADL0ZqLqgnBOy2kb9uL/UcA4+SvTr
6IWmVkrYsg+xO/DcveZHJMtheE83xYyikDmrbUf3Y7CIU0VNPcZR7r+xwYcO+rmy
9RI7TAmt1fOo69Q+QgXrwsH0fcCWusHhWrOn4TX4rDtw5gYPJ6xpcBknLlyMYd1H
Yi8kHONbSCbvaXkTOkDW4lm9dKjHn+ZHx4OMfg2luARtOylZMbrHsHF/4wSrDIGf
P4wFZls3QP8eTOxmTzqQxdzg+LamMMBPU8KdBtOgyXXDK8kzK9xEKdqsFVicefSv
tR+DM2B57Rw3QZWnkDZJrNtMclu2qaWFgtE0RZjZ6kx4U0nDtco2ARrXziAtxJEx
S1mqyd2+tmu4ABnLoRagOlm86lD36tSp3Qhmb27OElzKApELEMtVMj/NeL6kJbl7
n9B2DguVo8oKftzW3YXFKpgFSdxQ4CGgDpJS/ujbWVnES9MebmkqQ8fQpleBpT26
GNOyJYMAbirG6dyStU4lN0vcdiRBgobuTT0+KWZjjqbRb6bNXsPmRYh+JvgIxyPL
WyVhXWLw0UU4JBSMKWa/
=WGq0
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBZQj1nskNZI30y1K9AQhd6g/+JqhNjxS8LkIL8idBAhLccFFcFtD3OXjb
XtyYyg43AHz3UHzTT04qS7PCxivkZy41039AUjZssbHx2lp7kU/AuwND68iNpP22
qYcllz9uu8LK20w7/w09vG12UNP+jnJVXOpa9dj8mcZjiT8veJyL3crrIyorD//3
LGACmKsvDRS86MKp+YNnR0V8oDVpsbrx1v1FnREtuuTI/TwjuaOH3jLT4dXkMbIF
COCik/2QKs3cOzsx2jt4Inob9m/s/n+eE6F3vqkSlf/QesiBTD6R4sArz2+fGMmO
jhdyuzXBkAdojzcjV7gz0GEr+A7jEKXnGz4YmkiuaCvGgIWSKQg0DXIcQzVckqRW
dwHk2gEbexa/IUwa96f3DuIuwuZJenGSjAGGsD3Zq1jcEv6wwma3pHOaTiO1Ytq8
TusJ0iUcEbrcpkOLPGYYdDd9xR8/P1i+GQ3tpHqk6Gy/USII7ObsHrdEc38mJuhD
LHXGvCsUNZc+kvqf19pJ8eBjPiqXP5UMJYxxJZ4WFoLLPLlO9394LwCkmzzHXirk
sRzsfHHEaEdx2bkl4LzLGxOnS6dQ22jTbS1vBFH2g4gqn24iuSm6GeHaJbragLqf
VdOMvynDXdjSKgHEu+SY1noQsexOW5FeTtrukIhEUQbXilOHBxAEtizsI6f/Pgcc
sllu9vSuyp4=
=zJZ7
-----END PGP SIGNATURE-----