Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2026.2 libexif security update 24 June 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libexif Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 6 Red Hat Enterprise Linux WS/Desktop 6 Red Hat Enterprise Linux Server 8 Red Hat Impact/Access: Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-13112 Reference: ESB-2020.1888 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:2474 https://access.redhat.com/errata/RHSA-2020:2516 https://access.redhat.com/errata/RHSA-2020:2672 Comment: This bulletin contains three (3) Red Hat security advisories. Revision History: June 24 2020: Vendor released minor OS info update June 11 2020: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: libexif security update Advisory ID: RHSA-2020:2474-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:2474 Issue date: 2020-06-10 CVE Names: CVE-2020-13112 ===================================================================== 1. Summary: An update for libexif is now available for Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream E4S (v. 8.0) - aarch64, ppc64le, s390x, x86_64 3. Description: The libexif packages provide a library for extracting extra information from image files. Security Fix(es): * libexif: several buffer over-reads in EXIF MakerNote handling can lead to information disclosure and DoS (CVE-2020-13112) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1840344 - CVE-2020-13112 libexif: several buffer over-reads in EXIF MakerNote handling can lead to information disclosure and DoS 6. Package List: Red Hat Enterprise Linux AppStream E4S (v. 8.0): Source: libexif-0.6.21-17.el8_0.src.rpm aarch64: libexif-0.6.21-17.el8_0.aarch64.rpm libexif-debuginfo-0.6.21-17.el8_0.aarch64.rpm libexif-debugsource-0.6.21-17.el8_0.aarch64.rpm ppc64le: libexif-0.6.21-17.el8_0.ppc64le.rpm libexif-debuginfo-0.6.21-17.el8_0.ppc64le.rpm libexif-debugsource-0.6.21-17.el8_0.ppc64le.rpm s390x: libexif-0.6.21-17.el8_0.s390x.rpm libexif-debuginfo-0.6.21-17.el8_0.s390x.rpm libexif-debugsource-0.6.21-17.el8_0.s390x.rpm x86_64: libexif-0.6.21-17.el8_0.i686.rpm libexif-0.6.21-17.el8_0.x86_64.rpm libexif-debuginfo-0.6.21-17.el8_0.i686.rpm libexif-debuginfo-0.6.21-17.el8_0.x86_64.rpm libexif-debugsource-0.6.21-17.el8_0.i686.rpm libexif-debugsource-0.6.21-17.el8_0.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-13112 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXuCnMtzjgjWX9erEAQhfKA//dXi2bM/i3wQIo9bn78OQzfJ1VmHt1plu QuU94ZvlGRxx/BezGFTGMFTmHRItXdoR5eOhONwrz8R4ADcsFtZBmNsxaIVAkPoR 3wxy6ZB7uggUIrJMfYfbS/0sgGiDTFcnLuHOMtGG7WWsm9FaLgLo86HMGQOnhB5s PZOIvBS0gYDZ9PO16TtmRdzAnxrUGdtgneg0nbruwSng4qBExRMfJCbpuncYVSAC +RHFwHzQeTnSZ5LxbuS46IxejbRCidisYdD9G+E7/cXcgwyfLyl7XDMul2C05fMZ cAiuh3RFwbtSO3KlsTG3KmiormYvYYsIE/YaalZNDQ5/UwjqQNWXP/s0JkJa1i0x oK8Fmok8tOrxQBGhja7riZyu8M3B254ElnNJ1kH7zjwBYB9HVcQWnrxcexAhdqTc reqTwmFHJd7SlA4hCeC8gJIBeiAw7zBjhajtysIrXnqNZPgyJDvu2ZpVQweXeoVm IQGGt8hCr9RgJ1ad/VZ8T20xJfTbRG428Gud7aLl/wiJFXErWcgrLTyoYAnsjy53 9qcN+nzuwKUOSkGhp3g+uIEXI7i8oz1jOgrWaLcxsHjK7qLHk3jEWHRSDihIOxsr bSpaRhG3RkTYtLqndYr6+myroZjvusVnq8A/C8Yh/NSsbBQPVk54jukTOYLObMj/ lYEJdBggJmQ= =ILEf - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: libexif security update Advisory ID: RHSA-2020:2516-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:2516 Issue date: 2020-06-10 CVE Names: CVE-2020-13112 ===================================================================== 1. Summary: An update for libexif is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: The libexif packages provide a library for extracting extra information from image files. Security Fix(es): * libexif: several buffer over-reads in EXIF MakerNote handling can lead to information disclosure and DoS (CVE-2020-13112) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1840344 - CVE-2020-13112 libexif: several buffer over-reads in EXIF MakerNote handling can lead to information disclosure and DoS 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: libexif-0.6.21-6.el6_10.src.rpm i386: libexif-0.6.21-6.el6_10.i686.rpm libexif-debuginfo-0.6.21-6.el6_10.i686.rpm x86_64: libexif-0.6.21-6.el6_10.i686.rpm libexif-0.6.21-6.el6_10.x86_64.rpm libexif-debuginfo-0.6.21-6.el6_10.i686.rpm libexif-debuginfo-0.6.21-6.el6_10.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): i386: libexif-debuginfo-0.6.21-6.el6_10.i686.rpm libexif-devel-0.6.21-6.el6_10.i686.rpm x86_64: libexif-debuginfo-0.6.21-6.el6_10.i686.rpm libexif-debuginfo-0.6.21-6.el6_10.x86_64.rpm libexif-devel-0.6.21-6.el6_10.i686.rpm libexif-devel-0.6.21-6.el6_10.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: libexif-0.6.21-6.el6_10.src.rpm x86_64: libexif-0.6.21-6.el6_10.i686.rpm libexif-0.6.21-6.el6_10.x86_64.rpm libexif-debuginfo-0.6.21-6.el6_10.i686.rpm libexif-debuginfo-0.6.21-6.el6_10.x86_64.rpm libexif-devel-0.6.21-6.el6_10.i686.rpm libexif-devel-0.6.21-6.el6_10.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: libexif-0.6.21-6.el6_10.src.rpm i386: libexif-0.6.21-6.el6_10.i686.rpm libexif-debuginfo-0.6.21-6.el6_10.i686.rpm libexif-devel-0.6.21-6.el6_10.i686.rpm ppc64: libexif-0.6.21-6.el6_10.ppc.rpm libexif-0.6.21-6.el6_10.ppc64.rpm libexif-debuginfo-0.6.21-6.el6_10.ppc.rpm libexif-debuginfo-0.6.21-6.el6_10.ppc64.rpm libexif-devel-0.6.21-6.el6_10.ppc.rpm libexif-devel-0.6.21-6.el6_10.ppc64.rpm s390x: libexif-0.6.21-6.el6_10.s390.rpm libexif-0.6.21-6.el6_10.s390x.rpm libexif-debuginfo-0.6.21-6.el6_10.s390.rpm libexif-debuginfo-0.6.21-6.el6_10.s390x.rpm libexif-devel-0.6.21-6.el6_10.s390.rpm libexif-devel-0.6.21-6.el6_10.s390x.rpm x86_64: libexif-0.6.21-6.el6_10.i686.rpm libexif-0.6.21-6.el6_10.x86_64.rpm libexif-debuginfo-0.6.21-6.el6_10.i686.rpm libexif-debuginfo-0.6.21-6.el6_10.x86_64.rpm libexif-devel-0.6.21-6.el6_10.i686.rpm libexif-devel-0.6.21-6.el6_10.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: libexif-0.6.21-6.el6_10.src.rpm i386: libexif-0.6.21-6.el6_10.i686.rpm libexif-debuginfo-0.6.21-6.el6_10.i686.rpm libexif-devel-0.6.21-6.el6_10.i686.rpm x86_64: libexif-0.6.21-6.el6_10.i686.rpm libexif-0.6.21-6.el6_10.x86_64.rpm libexif-debuginfo-0.6.21-6.el6_10.i686.rpm libexif-debuginfo-0.6.21-6.el6_10.x86_64.rpm libexif-devel-0.6.21-6.el6_10.i686.rpm libexif-devel-0.6.21-6.el6_10.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-13112 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXuFpstzjgjWX9erEAQhEVRAAnQxrsA8n+ESolM7kBSxOEqXhVazC727F tTxjyEsgDRh+/Gcsip2qHQxu9qzZJOhLJWerK03PwqBsjOTNDP39y2mlQOYc9zIO OsxpW1CIhQYAv1AwxMtuVB8Yh8qW/f61zZs7ZEpasCNX22WMR54DsNS5f8ljU2X+ D5IeAiaeYLxE9bgE+hzTRuWJ3MRzPHQx5mW7MjMu+QhLdZdnJ7TIlOn2TWU8gotD i+erfUTR7k26bG0rjb5MTTIvUZw8VSBWeeQ/6quKUQMiZMKIau+PxmJA/jg7bnAj U9JzwecfKH1V8/q3mKNsN6ty9aBaH/xGSonyQF7NBXKlWbyO17W18nowYuqcHDcQ eA9bnY/JZeLERgW+5DM2uG5+ANmlXU//kUJffMine01DQHW+4l1/8K9p+bif44cd CLac6fvq9z5KxNN4cBTxj89NvHoCqcoEiX+LBpiC44TxMbSxvRUDTBMNgf0fqvM2 rgOP8HKnz9JybgfTbVYiclIYcw4+10tgMWmpybMJkf6aBovTVpyu9OHvbzxR9x6+ Xd+5WOgpoONEr6wIa1vEabUNRnlaXbb+PyBe0Fu+BoYH/72IS/9LaVDZn2Jwbb08 1CUmIT98VVgiZQxNrvh1Sf5fEGQTADxGx2czek6yIvuoP2AyMk9euhtb0cCHDipj zG9VLidGjoQ= =Je4r - -----END PGP SIGNATURE----- - ---------------------------------------------------------------------------- - ----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: libexif security update Advisory ID: RHSA-2020:2672-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:2672 Issue date: 2020-06-23 CVE Names: CVE-2020-13112 ===================================================================== 1. Summary: An update for libexif is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat CodeReady Linux Builder EUS (v. 8.1) - aarch64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux AppStream EUS (v. 8.1) - aarch64, ppc64le, s390x, x86_64 3. Description: The libexif packages provide a library for extracting extra information from image files. Security Fix(es): * libexif: several buffer over-reads in EXIF MakerNote handling can lead to information disclosure and DoS (CVE-2020-13112) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1840344 - CVE-2020-13112 libexif: several buffer over-reads in EXIF MakerNote handling can lead to information disclosure and DoS 6. Package List: Red Hat Enterprise Linux AppStream EUS (v. 8.1): Source: libexif-0.6.21-17.el8_1.src.rpm aarch64: libexif-0.6.21-17.el8_1.aarch64.rpm libexif-debuginfo-0.6.21-17.el8_1.aarch64.rpm libexif-debugsource-0.6.21-17.el8_1.aarch64.rpm ppc64le: libexif-0.6.21-17.el8_1.ppc64le.rpm libexif-debuginfo-0.6.21-17.el8_1.ppc64le.rpm libexif-debugsource-0.6.21-17.el8_1.ppc64le.rpm s390x: libexif-0.6.21-17.el8_1.s390x.rpm libexif-debuginfo-0.6.21-17.el8_1.s390x.rpm libexif-debugsource-0.6.21-17.el8_1.s390x.rpm x86_64: libexif-0.6.21-17.el8_1.i686.rpm libexif-0.6.21-17.el8_1.x86_64.rpm libexif-debuginfo-0.6.21-17.el8_1.i686.rpm libexif-debuginfo-0.6.21-17.el8_1.x86_64.rpm libexif-debugsource-0.6.21-17.el8_1.i686.rpm libexif-debugsource-0.6.21-17.el8_1.x86_64.rpm Red Hat CodeReady Linux Builder EUS (v. 8.1): aarch64: libexif-debuginfo-0.6.21-17.el8_1.aarch64.rpm libexif-debugsource-0.6.21-17.el8_1.aarch64.rpm libexif-devel-0.6.21-17.el8_1.aarch64.rpm ppc64le: libexif-debuginfo-0.6.21-17.el8_1.ppc64le.rpm libexif-debugsource-0.6.21-17.el8_1.ppc64le.rpm libexif-devel-0.6.21-17.el8_1.ppc64le.rpm s390x: libexif-debuginfo-0.6.21-17.el8_1.s390x.rpm libexif-debugsource-0.6.21-17.el8_1.s390x.rpm libexif-devel-0.6.21-17.el8_1.s390x.rpm x86_64: libexif-debuginfo-0.6.21-17.el8_1.i686.rpm libexif-debuginfo-0.6.21-17.el8_1.x86_64.rpm libexif-debugsource-0.6.21-17.el8_1.i686.rpm libexif-debugsource-0.6.21-17.el8_1.x86_64.rpm libexif-devel-0.6.21-17.el8_1.i686.rpm libexif-devel-0.6.21-17.el8_1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-13112 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXvIAdNzjgjWX9erEAQhdSQ//WR2KL73Ko3vcYDxDtS4k3TjcRjDkDZhG EtlrEWyQtZ+5orDHfNVTotdzIonY6L1FasebZx1qPx8m1L1FLushX8tRdmAPWvqT Od7+cEaT6uSKJ7Z56E/ts/dAq8d6QegcXDb2n9RBFIUsiduID7BlNqt2gf+2OZ+3 9h0slriRu56RG7IFB762NTjrfU9Hf//YN7+Qol3Y2BW4VUwXnB/XfewRJaPSq0OB GVNp1Q7226/rRjKa3Bx/HI6Njo+neZFscHoct2SgxMk1LnGUqDBQ7CaApb01845x KPpP5NhhnpSE9dT/JGl7UCdukMI+EtH7m/AOV+jntvcxtuSqIxk2Yw5I6zmTPOL3 8ydzhWspid10qq7t7I/Ee3HzSPNCIOLmvdIl53EzgO1NupdzrKC+YKFcjmvG0bVB jaUJ5PE2ooEHLcFAjloh9j09BbASW61DZbfUB/Qb3ih9E9zqwy6semzuqmAM1muc ySaD3onFBd21dpv64YIsvMkVtx3e4+Yb4isRBX3U3zOhl1//Ezm5kurEgz3nliqk ivYb3uVeEgBB3gMHLpBO87CKHsFQhujLSucJ9220vm3yR+wjTcTz7VHYz4LTw097 NEvq7sChBLtEDSo98Ev/Wl2ZWdHBkPcGnGo/iPGgRFn/3w8lV7pVeMbgBKXTt2cA LKRhd8oye6M= =TGBd - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXvJ7GuNLKJtyKPYoAQj2rRAAkOx+JasTA1xBQq9+yyWC3AYXU3XH9cff raXoCAdATy81KCfgYyYY0Dgfec/4jEi/JILUQNzgJqdHx0hN9r6JZEuxIvqPVrWm fidy0bHoqNDoA89PBHP6irtBJSiyVjoz8WnWzFkedCSXQ+tVx8Ieb3VGLyhC7KOp TuO2yUKkBjGPKaHSWvemyb0LAl7UDihMiDMNFDS+KRoCSM92NxmUHlKuxCgXI8+a Xc8b7pxMZjziJxWvBfteQzsXrNRtg5wd2R8dawNuqwAq+B2sAg+NTxEW0Uxd3sPX BgoJ3HDVQExZj7qjZJ/uMaxDky9UI028yrsWV8JfGNBcPNk/EatdqOMv3lny4PTZ bRwoThFARUAvW+cXpNfKwF8bpvOxhxObQvpkBBVuvsuYalTgk4GljTBPZGEJAzfu G1bXzxO5+QEpsmUDYEkXm+ggYH461KrmD6Rqp86/dw+vTfpCsq32e0nfZ8wa3rHs Rz/QqmZzN2+EW9a9RnlnGxDt180UTLSFqLe0VCiiO2e8RwaiUfmIYRMHGXgvEn+1 6frp9gWg3Rf5N/Fej+ehS5234Uj28ut9f6967L0QlPi70JdGmp8J+6rMb6kY6C7p BH/pxuMJ+Fq9MlslqG0haoKlHKZLRJkk3ovzjTUZamWNA8j3RpGwVUdA4eptT7M2 PUDlQVJBzj4= =Q5z7 -----END PGP SIGNATURE-----