-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2321
                   [DLA 1465-1] blender security update
                              14 August 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           blender
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-12105 CVE-2017-12104 CVE-2017-12103
                   CVE-2017-12102 CVE-2017-12101 CVE-2017-12100
                   CVE-2017-12099 CVE-2017-12086 CVE-2017-12082
                   CVE-2017-12081 CVE-2017-2918 CVE-2017-2908
                   CVE-2017-2907 CVE-2017-2906 CVE-2017-2905
                   CVE-2017-2904 CVE-2017-2903 CVE-2017-2902
                   CVE-2017-2901 CVE-2017-2900 CVE-2017-2899

Reference:         ESB-2018.2074

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2018/08/msg00011.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : blender
Version        : 2.72.b+dfsg0-3+deb8u1
CVE ID         : CVE-2017-2899 CVE-2017-2900 CVE-2017-2901 CVE-2017-2902
                 CVE-2017-2903 CVE-2017-2904 CVE-2017-2905 CVE-2017-2906
                 CVE-2017-2907 CVE-2017-2908 CVE-2017-2918
                 CVE-2017-12081 CVE-2017-12082 CVE-2017-12086
                 CVE-2017-12099 CVE-2017-12100 CVE-2017-12101
                 CVE-2017-12102 CVE-2017-12103 CVE-2017-12104
                 CVE-2017-12105

Multiple vulnerabilities have been discovered in various parsers of
Blender, a 3D modeller/ renderer. Malformed .blend model files and
malformed multimedia files (AVI, BMP, HDR, CIN, IRIS, PNG, TIFF) may
result in the execution of arbitrary code.

For Debian 8 "Jessie", these problems have been fixed in version
2.72.b+dfsg0-3+deb8u1.

We recommend that you upgrade your blender packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAltxZsdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeTTuhAAvOVxnABUH5iI/00MP6OI6XPAJtdm53HYdhaKuo/xwH3riMqcCBNMIDKk
6oWR1Ad++XXod2mdgOqMgy3OsEwPBIG1NuhTw/Mvb64qeNUgFiyQWB6gF9NbZUmf
ZlZ2ksXLd9ThVs9rPT5StdryglXGd+mA3gEKPWVxA9yS94ZKFyKJtYL7mPYYAhtk
pejTujmC4/HbwqdAl5t+z2OkDCish5IWTGa1BDlpn+oI+G1V+YdpTFY5caYC5XmZ
fvB5qVbjQsWIapPyUDxeBD3rRXcUHlJvVYIpn0UOTJiKAQ5tODO7kMlZ7QbBTyXc
21cEl50NWaCPCRF2qBJzRbjZIl8qAGYf6NVPkO3BTvY5sDua1O0uJIBsVMKWDxxj
AgbJItVNvM0HmIvm5pmT3oof6CZrAhtSHFOoFMYftX/TiAsMVz4M27r3JcCCkStu
FP7REAFz6XEbLQe78FnAvXKh7HsSbZijAqNNacSuAzk3AMoRXL5aoXAdsdEowZcz
HJd5l0Cl7SyGinDSGHsvGb1roxH4QwRJjKvYDrQYDfKg3+dsgmpTWHxsWk2NBzAM
W+revsoqvhj6pvAasIgbH7AlWZ70V+0Frp4USKN4BAzzPBc2aP1ZInWPIcKNKY59
G20Nis7PX8TqMry2q1KJ0rBLT2ht9Q0cZbdduPjygQVerQ/ur5Y=
=XLtu
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW3ImA2aOgq3Tt24GAQh4RA//RvBZS+qlRnW9xFabQnMEYpMZJMwKOjXo
kyx10eX3ZpqNnvEGqtzzU2QSEUL3ILwhKdBqEU8F/KF/lJdesEJ2KmKrILbdtob9
pYW/kqH/RB8OoLVHn2MZ+BEYSKi34Le2kWGLpRfVgXvk3UzxpXIpLfM7SftEenTd
tL++ZAe1CPMcwrGKfd1JymUNssoMeXyBThE4uPZD43vaFbqFuGs+4uoydA+I9727
Q4+CqmfNWzRTLFn5Rw71kxO1V916AlAkXAwnHSfnUVTbfgJV0XSreb+1DmHZ70x9
d9N2Xqb08I351I+9IvIHNIs9/8YLZgumHiWAtz/DCI2Bsy7dJCmRzOdoM7Y5CHEi
//6BDNcU3KCJlvM0EuBqezImI4A/9pnoyVLVEwG+amiSaDvMO5iAyudlC0QX0AGH
TqkeWnR9JD4Chl22JqBPcAkAPBryIqcePp0m0fVk3iv6TCKcWa6qj7TfKCHvDLOf
8JzuBBf5+6rMPW453Tblrp6PlcsDy7OCG8mGv7DU27F5zuIEa9phkVETKHywcKOa
Wysh9begjUbUaL6CmbGHFxzzXWOEX6zF0kJFoBCQpbDeUx7UL+LtWbbTtjJWA1vt
GsM/CK5FeTPcJJmjAIU64B0HUzqaCBCX1GzgYy0qRbPV//XpRL+FB8ha92yM7dol
aTUjegVYoJc=
=4pwZ
-----END PGP SIGNATURE-----