copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2016.0673 - [Debian] graphite2: Multiple vulnerabilities

Date: 14 March 2016
References: ASB-2016.0025  ESB-2016.0635  ESB-2016.0639  ESB-2016.0707  ESB-2016.0725  ESB-2016.0728  ESB-2016.0767  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.0673
                         graphite2 security update
                               14 March 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           graphite2
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
                   Debian GNU/Linux 8
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-2802 CVE-2016-2801 CVE-2016-2800
                   CVE-2016-2799 CVE-2016-2798 CVE-2016-2797
                   CVE-2016-2796 CVE-2016-2795 CVE-2016-2794
                   CVE-2016-2793 CVE-2016-2792 CVE-2016-2791
                   CVE-2016-2790 CVE-2016-1977 

Reference:         ASB-2016.0025
                   ESB-2016.0639
                   ESB-2016.0635

Original Bulletin: 
   http://www.debian.org/security/2016/dsa-3515

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3515-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 13, 2016                        https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : graphite2
CVE ID         : CVE-2016-1977 CVE-2016-2790 CVE-2016-2791 CVE-2016-2792 
                 CVE-2016-2793 CVE-2016-2794 CVE-2016-2795 CVE-2016-2796
                 CVE-2016-2797 CVE-2016-2798 CVE-2016-2799 CVE-2016-2800
                 CVE-2016-2801 CVE-2016-2802

Multiple vulnerabilities have been found in the Graphite font rendering
engine which might result in denial of service or the execution of
arbitrary code if a malformed font file is processed.

For the oldstable distribution (wheezy), these problems have been fixed
in version 1.3.6-1~deb7u1.

For the stable distribution (jessie), these problems have been fixed in
version 1.3.6-1~deb8u1.

For the testing distribution (stretch), these problems have been fixed
in version 1.3.6-1.

For the unstable distribution (sid), these problems have been fixed in
version 1.3.6-1.

We recommend that you upgrade your graphite2 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJW5btcAAoJEBDCk7bDfE424zIP/3nlauVRnpBIoAMGQug+QNOE
Kj8x9DfNdB6kErPjIupdOpzZtO8rPgFEd4E8I1IZVcl5p8V3lGr3ZARAv3DnmPQV
wzRewq4K55OBVAkZqleYSsVLHbHJnQNnZavPM4ae++yGz8PBslMzj1r9PUUV6Q55
eaKqoTdzlPKAM5udnUNEgBSLG10pPYnftRkcakmCOtt0ks+6KQK0MapOimIvNN73
nToaK2vyjl4q2OY3gjjo5h3JuWkKQrbtO1gsalXxyTU4M1z62psNPY9ttcONWOVn
zDPEsNU6I8y3JwWQbH9qWrAZI8rqum7NRuJh7fwE+J2wth+v6i24nwQTaF/wcmEz
3s5TQBIowj8YjGNGxoscGdgXw0noGxi/n+RJbacZwA1Ff7W3CaobgIU5IhVMBwDE
Cvvj3shkiST5mYcM6HYYfJ9ma0GxpWIxB9IUnsEqZ3dHVkslVP/57AOT2FoZgNTg
Ci1y9Lkgi1aQZuBDvwh59wA7p0n2s+7BAXstpn016muWR51JbZnmAi02GmyWD3ah
SPbFruEQyU27u/1dpSL5lulM5V/UTU0+lCY7R13yNbVPkLEswzcls7/uAagOYmWa
IXzRUvhmJ+LahM4DpQUbhkpOZwogiQ57MUsH+tsaKo6vMBEqIfeAhkTzSqMKY7Xk
NaQRqQaCm67J7hUbmkXn
=F2vQ
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVuXzDn6ZAP0PgtI9AQK3eg//Tmr3hoiGsYk6tP8vJc1/ZZg3WJxgi2dV
WWA1PY0xlmRG7br5zz5iFg3FUMeMOx3naWRleqlin8hR4V6AEOroA6tI1wStiG+J
ZqbGvXjR9ZzmgQiUfDGYzty1mp4m8pi2KX4oebN2qSGw25ITDvUHq3qLbpM4Nf5F
8yDgYZUnEd/tZ3MSp19PCWG62xesDdfrxR5TFTFj38m+f77TTp63qlRn+JqD3x2t
40vXAINwN5p5WLPkyIthXVlFlphUxFdE9YAe9Tv9ET9x/6UTKHvYBc4+cQMQZyF2
TtgRNqIP518DAboYl3h9cdqVLhtclWufEgVHjz7QmqeG6tuCe47wJRQl6BbUopuH
DGNebmp4/HTrYJp6V4g8WR4WH+vcERXJQCmmXHq3aV/RyvfNEDy9Dgr7Ibpi2k9c
CP2n6Y171qSI7D6LqEXx6khgMolnOaPSwVNLp5HqezY/XoW5pznuge7i0R3KV8RA
tHIIoB5J5GeTofNQ1Jmlpe9CUorOQIVdYzOMM93OVaEvIjfS7fwNZfteLmODVOe2
4FPH7Yvp51FNxCXa+GT2tKN6mkEOcfIHYdOXINLJTA3chS+nc0Pgio1thILauW9L
iHTpGz0GBQ2bRRRMRuSaH24A7c6w83nvE+P3rYZziYIkxrl3XIr10xphzXJz9IWf
Qjwf2MUn6mg=
=wb3u
-----END PGP SIGNATURE-----