[SECURITY] [DLA 2829-1] libvpx security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2829-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Adrian Bunk November 27, 2021 https://wiki.debian.org/LTS - - Package: libvpx Version: 1.6.1-3+deb9u3 CVE ID : CVE-2020-0034 An out-of-bounds buffer read on truncated key frames in vp8_decode_frame has been fixed in libvpx, a popular library for the VP8 and VP9 video codecs. For Debian 9 stretch, this problem has been fixed in version 1.6.1-3+deb9u3. We recommend that you upgrade your libvpx packages. For the detailed security status of libvpx please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libvpx Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmGioPkACgkQiNJCh6LY mLGdAw/9GvAA175hBpQ87186u6qe1rm62IDaixyba/LSPf14yWJznKqZzw/g8ZVp whStu5edJUVhNYcwJf2Utc5EVNgxaBfaz4WQ4jjWKVHrKPkN9CwFLAC1M7ZL33I0 jRxOi0aihgj1IWUMgxxHdPG206Z9D/xpdxXDS2RBLQA15uMDvRM6NAo4HToivyzk Y/jRuFxYx08lwCq5mHWpe1rA8iWTjp48z+iAe3kapui39Q3ZijNIDW6RLXMUqb6l /1Aw/S+82oj5A0WdH43KZa9U88PmX8qs3hQOVxScvTO3nckELUI3Xj82ejrLQdyD El+o3KmmlgsACFKmDy6+lsKFBkPKySEAU12KJ9BMZQdl2CIX3CMGdvHnOfkwTZub j9C7ySJLGUXUeyw6DNOiAf8M/bXVE4wV8KjKZ3gfEX1nkI2+6BKtGKmwTsPXuWOe SBVuf5wMSpQ8DwXhXTLfCuH78UkQYX+eO855eAcmDDlJt+YjuZHkBiFkNl2+LvHm 6u5V6F6r7+lkFjlYZ4EPK1mq6ELXvedxNYBUFJmWE/wioXRKRyLcAZwhTgv3Gzh+ yXhRX4gcQQkdh81IQCoD9QP9YokgIhkXYvRfFWHqkqsuvXg1le1dUsh8lqGR9xhm xYZJ5CcNGFL3EoJhOjj05wWYOHhr/ibtNEAOXFty1rIn+Ik0P34= =TZzB -END PGP SIGNATURE-
[SECURITY] [DLA 2828-1] libvorbis security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2828-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Adrian Bunk November 27, 2021 https://wiki.debian.org/LTS - - Package: libvorbis Version: 1.3.5-4+deb9u3 CVE ID : CVE-2017-14160 CVE-2018-10392 CVE-2018-10393 Debian Bug : 876780 Several vulnerabilities were fixed in libvorbis, a popular library for the Vorbis audio codec. CVE-2017-14160 CVE-2018-10393 Improve bound checking for very low sample rates. CVE-2018-10392 Validate the number of channels in vorbisenc.c For Debian 9 stretch, these problems have been fixed in version 1.3.5-4+deb9u3. We recommend that you upgrade your libvorbis packages. For the detailed security status of libvorbis please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libvorbis Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmGiiVIACgkQiNJCh6LY mLFPyg//XZOyldaUQzxMyIOZ8J4a+rre0UWSxbpPAjZ7jk8q+iu+OhS/w/zDfZ/1 FhKr1q+9fIwqAQUjXGyI7g1Nx5cL5LstvHn21JmhlqkpJuBpoxIHW7vQ6Dmm47qo SRSf3qQyHTQBPbLZeGJQgXRGcHE4Wqgdr0IAjlOjlsC1I/9lUOlhlZgvayPWXDTO yfyrOSQhlAYC8lnJXkHm3z6N8F+lBA9Hr+gGjvhuwncj6qHEPMfo7+ZuroJBgQrH 4p21vN3Y1GmGEMo1w9Jm6OaOBd6h9wAkxRuwhMa0/mTzIQH2RDdSp+7V7Nlq+XOp Ww36BwX6D5t8oD+zWA0dS8mV5yqoYbetHMnJ+9wA6QrWMrt73wb2VXJJZ0S558Jf of2ij5oiTJOWsbwDpZ4xMxOup2szEn+sOt+6hnlckmeoHm0E3tmYkEVLIgaEqLR7 Xut/lsBw+YxpJXbUYeXUATAlcgkdrCm+zdZZsNXI1JXNUkwUkoWz3EBqXGlHWW36 Koh1dVC+Mo+bCPGOKdXssBGzqrAT0g4BSgmPS7jzjMD0j4wkJBsGbX2MAUBzp0di NNUMGCJ0mWfysPOdyEK8rydgeHA+9dWYYcdwC10xPDH8QTw5wVVNbEDcqRbedJ3l kvGXWOy/Fisyeyb0vTKsBNaP6SHtx1lIug9GWjYsxZSaClcr934= =Z2K3 -END PGP SIGNATURE-
[SECURITY] [DLA 2827-1] bluez security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2827-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Sylvain Beucler November 27, 2021 https://wiki.debian.org/LTS - - Package: bluez Version: 5.43-2+deb9u5 CVE ID : CVE-2019-8921 CVE-2019-8922 CVE-2021-41229 Debian Bug : 1000262 Several vulnerabilities were discovered in BlueZ, the Linux Bluetooth protocol stack. An attacker could cause a denial-of-service (DoS) or leak information. CVE-2019-8921 SDP infoleak; the vulnerability lies in the handling of a SVC_ATTR_REQ by the SDP implementation of BlueZ. By crafting a malicious CSTATE, it is possible to trick the server into returning more bytes than the buffer actually holds, resulting in leaking arbitrary heap data. CVE-2019-8922 SDP Heap Overflow; this vulnerability lies in the SDP protocol handling of attribute requests as well. By requesting a huge number of attributes at the same time, an attacker can overflow the static buffer provided to hold the response. CVE-2021-41229 sdp_cstate_alloc_buf allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash. For Debian 9 stretch, these problems have been fixed in version 5.43-2+deb9u5. We recommend that you upgrade your bluez packages. For the detailed security status of bluez please refer to its security tracker page at: https://security-tracker.debian.org/tracker/bluez Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmGiEh0ACgkQDTl9HeUl XjCqVQ/9HDvMcYwdegi6hxeBdzaBghIHveFKGx9HxOSEVHjtFabZbURMWT+nlg1a TvhzC2YPKGyvqV6DJz3d1Nvc01bHcqRr/0ZUywn7bgjsCyjhNGTQCJgCL4lGdRkb i9fsgDRVAb94PACw9O4o5FvpAexAIpNlhEi8+jyPmUa/dgPXS6UwD9SG1jbvAY/L NK4uilj6y0rcLuJLNS5DlXsSKSaQ/OauzPcZgh3r99C4SU51Ix90GbhBL/+C7aox hP8s85bjfMMpqrkxqu+210Pf+J/fQc/h/LGBGryQqgaOdQ2Feu8YOLTSG64M42UJ Bm0Xw3MXbxOl4Rk2eg86g0zf/s/ONBGZZcIdHwJDDeWvWRtoJ+b/FceWdJvlgxBA 0gwzWsdvlaporMIabqhgVVRebpsK9sSJ3MLVo6ADZV3UZvfNdPQYmh5psvzBgYXX O01V+kB5Gxd+MegV8QfOb+pKE+jNTrwhzWOx5z2J9T6nTBo6ABq9PgBHKqJnO2Ov K1rwRF1EMPjnM+en1plSjfNRIxATBTDXAISryK00NL+X35QgetA5YcVWH0bHbLZr kXE2pk/56UzC64Fw+wkTJKwxNP7TykFAY6JZAwtDb58jssXOXHa8j5wzQ4IZ8Kcd t7QY1Xt77yyFlVLWszbkQtFsWX7hETVnEC90tNHrIYXe34dELso= =fTkb -END PGP SIGNATURE-