Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0012 freeimage security update 2 January 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: freeimage Publisher: Debian Operating System: Debian GNU/Linux 9 Debian GNU/Linux 10 Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-12213 CVE-2019-12211 Reference: ESB-2019.4600 Original Bulletin: http://www.debian.org/security/2019/dsa-4593 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4593-1 security@debian.org https://www.debian.org/security/ Hugo Lefeuvre December 27, 2019 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : freeimage CVE ID : CVE-2019-12211 CVE-2019-12213 Debian Bug : 929597 It was found that freeimage, a graphics library, was affected by the following two security issues: CVE-2019-12211 Heap buffer overflow caused by invalid memcpy in PluginTIFF. This flaw might be leveraged by remote attackers to trigger denial of service or any other unspecified impact via crafted TIFF data. CVE-2019-12213 Stack exhaustion caused by unwanted recursion in PluginTIFF. This flaw might be leveraged by remote attackers to trigger denial of service via crafted TIFF data. For the oldstable distribution (stretch), these problems have been fixed in version 3.17.0+ds1-5+deb9u1. For the stable distribution (buster), these problems have been fixed in version 3.18.0+ds2-1+deb10u1. We recommend that you upgrade your freeimage packages. For the detailed security status of freeimage please refer to its security tracker page at: https://security-tracker.debian.org/tracker/freeimage Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl4GgCUACgkQEMKTtsN8 TjYEAhAAlG23fvEZtYYEB7RDesOVnBYEtjAmSCDaomqEOJFcvUtMHkkHZ4x4vcg9 w3X2FyRynTfZ75r0fp0cMs1ocrfa7SVaVmVBVi3fd/4nEzJtrjGcHAYwMrw7F2DH GZ7+PBQSuNYd4k87RQl2xKvlRNIH4ifbZnIdpVsiuOEPFt8vlLYgh/31lIzrdT/v YwPV7rdY7/3yNIUV7XOdhGKZ/esipZRPQLes3nduq5A9wo8kGwbQPnVMzLBLAwIH T1bMStWau0Wbb7sXSr19LbkxBBVyDP9sZ/1rQfNLxHQFtg/zJfj0kfC1N4//1IrC HVXU4BF0KMiyCi+Zk08c0S1d3Wt+f++wzKegOwgqII5qVurAaBqHcveu2tahVbuo oQr+ObI3AlREWuhI6WE1u8KwTi5EKvUTkqJtoegX90GAilNMDs34JgjuyC7EB9vn sows7yzH/UnLti+1TBHaux45cu5UU5p4QKVunvizs2YR34xITWPJ2Zv+b8/LCm3/ ZuXdwdyn2HU/C8wTFnPlk3d9I6nGcPaVmGwH9/zhRU8DV5ERf2Nqqfyk4LPW4hkj TcegCC/Ti45/yceQ5ELn4Yo9B+clQIQscxrUtA5DaZwSlvXMaVfoDFK6vZnbaDY7 fsRA17VCzc1+L7iHhs0WUks145MW97FsEAU4uCoKdH+jlcBhSoc= =PzJY - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXg1Dj2aOgq3Tt24GAQg4CRAAw3z7ROyynlBy0jfaeiRx+WJ7ilP6zj76 hEoZ2zlxsDKe0CDURjRXzhpd4gD7LEX/Pa7Kns/9Cgq9MWEm/C2nrRgqWrGSnLns 0nRZU8KdGzVbLoI1GHZSSPzXmfzssgk61u8AG+ZVfL64zpMhARr5h3ipTfKUtLVl rTwxMTXtP5OLO0XLB5g9kLy7TFduaEruOeclRc+NWcnKnu1aAqu3WB4bwGc6RmrB Je/XumziidL0/+2vr1V8eEJuEAEhAF+wOKD9Qbk6nSV+5wwQsFwduenCoLlhFVkD zkIX0lbQ5U3f+9U5VJ7MCk0W20Gu9tlk7ev4bnxKf4MxQrBggAg0bdglQoaKXKPM wNvbVKqH4n4QFM+os+XJVf/pzddPJfo1QG3sFCKNrFLO6ZR8Patz+LxxYsMorFSL urnO4Ew7vCmVDBx76VGEV9c0wOeWWRjavTp7sxcoC6S9QbAJZKx09EneCHPUXpPB tg/naY2z7jwTptdrjDh9Ww3kIjz7y7NXU+cf1vu8EVzpS3pT2EFqbiTMFAbDxwxV S/xzavmTj0u8zB1+5dnCVyTX7aT+q3ZhkBUzyJ4lHL4a0ZT/szoINq0iaR4lp6HL O6Q2tyRI6LIe5Yuxtya75P7cXrqyqpkmAtjsRl/fxihjVKeDNeu48j3eRab0KbBl i2jwdy/uAm4= =Ukkz -----END PGP SIGNATURE-----