Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0928 graphicsmagick security update 16 March 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: graphicsmagick Publisher: Debian Operating System: Debian GNU/Linux 9 Debian GNU/Linux 10 Impact/Access: Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-19953 CVE-2019-19951 CVE-2019-19950 CVE-2019-11506 CVE-2019-11505 CVE-2019-11474 CVE-2019-11473 CVE-2019-11010 CVE-2019-11009 CVE-2019-11008 CVE-2019-11007 CVE-2019-11006 CVE-2019-11005 CVE-2018-20189 CVE-2018-20185 CVE-2018-20184 Reference: ESB-2020.0338 ESB-2019.1804 ESB-2019.1273 ESB-2019.0012 Original Bulletin: http://www.debian.org/security/2020/dsa-4640 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4640-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff March 15, 2020 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : graphicsmagick CVE ID : CVE-2019-19950 CVE-2019-19951 CVE-2019-19953 CVE-2019-11474 CVE-2019-11473 CVE-2019-11506 CVE-2019-11505 CVE-2019-11010 CVE-2019-11009 CVE-2019-11008 CVE-2019-11007 CVE-2019-11006 CVE-2019-11005 CVE-2018-20189 CVE-2018-20185 CVE-2018-20184 This update fixes several vulnerabilities in Graphicsmagick: Various memory handling problems and cases of missing or incomplete input sanitising may result in denial of service, memory disclosure or the execution of arbitrary code if malformed media files are processed. For the oldstable distribution (stretch), these problems have been fixed in version 1.3.30+hg15796-1~deb9u3. For the stable distribution (buster), these problems have been fixed in version 1.4~hg15978-1+deb10u1. We recommend that you upgrade your graphicsmagick packages. For the detailed security status of graphicsmagick please refer to its security tracker page at: https://security-tracker.debian.org/tracker/graphicsmagick Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl5uqfcACgkQEMKTtsN8 TjbE6w/+NYEAaiAPEumBhVgKpVEwHF+tfaC1DnRcRKn7z47qWtxCSMVBVeyas6iH glKB/UqHEWaSLojaDOxf4oO6zAopdYH8Lxm8ZOAo5CR5kW9TGX13sRrMSXudEaMa IuNhKfto4zl+JpVWow7i4s3R+uUBE8D3E2aZXqOXS8JqZWoEMemnRK6fQYiXM8Io Yxkfw7oJq8H0zHqRn08FMUt/qIuSDjnEf9KcClkPKk1awRtEa5OqSUh08eE//k0f yH1SUXXWlgOysu767xZotaLTWsPCfJz+HRXOuF+W0jxbr6W+bcd5Yb6ARjdmNceq 2ziov7/klopRE4qLhCjq2nv3cyHiNBNus0Vvd6uoPi2tv6XO5xcfhlcVsHOwU0uD d7GXGJ7MqnZbQBj5G7eVsmAKpZSX9EBvX+lYdB6mnzdsbRLDV42orKQj41o7FrXe 3F/iovlG3weg6wJZc7RGLWvAQGKsZiIWFmF2GPDmfo6Ua4Zzj10seIANVP34CtCC reA8EwLmK2baJGgehyWGXudU+4EfJw2kSIFnKfTEsPJRhSrjAXtjDALQYQPcNe7a DgQP3pBPTBlFsVQ4ROx4C4SqZp9O0TrL9bAdsvx0QHDXh8YiSZDMT7P2glwHkLxE q5Ghh1KYCkHV8sFQg1z3JiFhvLija8zaDlvMagtT4BK84XfrbW4= =eDkE - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXm710maOgq3Tt24GAQjGIRAApUMeyYx+7AcniyZ4hyUkt6So7a6EcuFR OWJrMt6ttWhnMOBEcs5yF02wEPmvUmWw2vtfMd/QmNXCTSEU5eyxh0hBEkDDQ+lH 9jB9gvfMgvd2fjKIJbVBkAeNzyJJlgjh2X1hu96Cc7ZMKPk3Px15U1ogF6G7vljK tgGfyyZ6UZZ1dsdyUnBNu1C8EagQS1shUSwHSUPiAWt3CEgg05K+Lgtvo/irabhu tx427nkYWqJvz0D9imtA7ct1cr9/N9BQ4mPz7SvFB/Ocpn0/tpJAgzjOqMx/TOYc ffUqXShW/RccQEbailnNqAFMODbuZ8bEHjLrqlMbVVYYBRfuqUfomEG+WL2/vpJe q7hP67DPz9kXoB2sBYMv50bcDT8sRSPHU8ptGrzkmO/3pX4fvosYPXVWRVnYuqJP mMJWb2ceFeXMpn2scc3ovNZWR00XZ6yO9lKO6th6iF/67ZPStjrwc9/7Q6koJC2w nMAgVv+Ya1jZpMKnm834ilXs4ses3VUF/gK2XA+tPY79Uo57s7R9A3U/KqnQyMAv xe0KqMCSY2kP7OMlNb4+bHMMoRRftfjRbWzM2MYxTFjZq+LF4Otn8N7RxhexQRoR 7gR+8BQA48+2pSV2xi9izK+vEalTGRGJBO7ZFanbrBnAZ8++wx3NeRlwqUN1NQZf X2yBxRM7Q8c= =czOZ -----END PGP SIGNATURE-----