Debian 10264 Published by

The following two security updates has been released for Debian GNU/Linux 8 LTS:

DLA 1690-1: liblivemedia security update
DLA 1691-1: exiv2 security update



DLA 1690-1: liblivemedia security update




Package : liblivemedia
Version : 2014.01.13-1+deb8u2
CVE ID : CVE-2019-6256 CVE-2019-7314
Debian Bug : 919529

Multiple vulnerabilities have been discovered in liblivemedia, the
LIVE555 RTSP server library:

CVE-2019-6256

liblivemedia servers with RTSP-over-HTTP tunneling enabled are
vulnerable to an invalid function pointer dereference. This issue
might happen during error handling when processing two GET and
POST requests being sent with identical x-sessioncookie within
the same TCP session and might be leveraged by remote attackers
to cause DoS.

CVE-2019-7314

liblivemedia servers with RTSP-over-HTTP tunneling enabled are
affected by a use-after-free vulnerability. This vulnerability
might be triggered by remote attackers to cause DoS (server crash)
or possibly unspecified other impact.

For Debian 8 "Jessie", these problems have been fixed in version
2014.01.13-1+deb8u2.

We recommend that you upgrade your liblivemedia packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1691-1: exiv2 security update




From: Thorsten Alteholz
To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 1691-1] exiv2 security update

Package : exiv2
Version : 0.24-4.1+deb8u3
CVE ID : CVE-2018-17581 CVE-2018-19107 CVE-2018-19108
CVE-2018-19535 CVE-2018-20097


Several issues have been found in exiv2, a EXIF/IPTC/XMP metadata
manipulation tool.

CVE-2018-17581
A stack overflow due to a recursive function call causing excessive
stack consumption which leads to denial of service.

CVE-2018-19107
A heap based buffer over-read caused by an integer overflow could
result in a denial of service via a crafted file.

CVE-2018-19108
There seems to be an infinite loop inside a function that can be
activated by a crafted image.

CVE-2018-19535
A heap based buffer over-read caused could result in a denial of
service via a crafted file.

CVE-2018-20097
A crafted image could result in a denial of service.


For Debian 8 "Jessie", these problems have been fixed in version
0.24-4.1+deb8u3.

We recommend that you upgrade your exiv2 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS