The following two security updates has been released for Debian GNU/Linux 8 LTS:
DLA 1690-1: liblivemedia security update
DLA 1691-1: exiv2 security update
DLA 1690-1: liblivemedia security update
DLA 1691-1: exiv2 security update
DLA 1690-1: liblivemedia security update
Package : liblivemedia
Version : 2014.01.13-1+deb8u2
CVE ID : CVE-2019-6256 CVE-2019-7314
Debian Bug : 919529
Multiple vulnerabilities have been discovered in liblivemedia, the
LIVE555 RTSP server library:
CVE-2019-6256
liblivemedia servers with RTSP-over-HTTP tunneling enabled are
vulnerable to an invalid function pointer dereference. This issue
might happen during error handling when processing two GET and
POST requests being sent with identical x-sessioncookie within
the same TCP session and might be leveraged by remote attackers
to cause DoS.
CVE-2019-7314
liblivemedia servers with RTSP-over-HTTP tunneling enabled are
affected by a use-after-free vulnerability. This vulnerability
might be triggered by remote attackers to cause DoS (server crash)
or possibly unspecified other impact.
For Debian 8 "Jessie", these problems have been fixed in version
2014.01.13-1+deb8u2.
We recommend that you upgrade your liblivemedia packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
DLA 1691-1: exiv2 security update
From: Thorsten Alteholz
To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 1691-1] exiv2 security update
Package : exiv2
Version : 0.24-4.1+deb8u3
CVE ID : CVE-2018-17581 CVE-2018-19107 CVE-2018-19108
CVE-2018-19535 CVE-2018-20097
Several issues have been found in exiv2, a EXIF/IPTC/XMP metadata
manipulation tool.
CVE-2018-17581
A stack overflow due to a recursive function call causing excessive
stack consumption which leads to denial of service.
CVE-2018-19107
A heap based buffer over-read caused by an integer overflow could
result in a denial of service via a crafted file.
CVE-2018-19108
There seems to be an infinite loop inside a function that can be
activated by a crafted image.
CVE-2018-19535
A heap based buffer over-read caused could result in a denial of
service via a crafted file.
CVE-2018-20097
A crafted image could result in a denial of service.
For Debian 8 "Jessie", these problems have been fixed in version
0.24-4.1+deb8u3.
We recommend that you upgrade your exiv2 packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
