[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DLA 2777-1] tiff security update

Hello LTS team,

Apparently, I've sent the following mail thrice to the -announce
list but it doesn't seem to be going through. Could somebody
please send the below announcement from my end? TIA! \o/

The website update has already been pushed long back.


- u


On Sun, Oct 3, 2021 at 8:35 AM Utkarsh Gupta <utkarsh@debian.org> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -----------------------------------------------------------------------
Debian LTS Advisory DLA-2777-1              debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Utkarsh Gupta
October 03, 2021                            https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package        : tiff
Version        : 4.0.8-2+deb9u7
CVE ID         : CVE-2020-19131 CVE-2020-19144

Two security issues were found in TIFF, a widely used format for
storing image data, as follows:

CVE-2020-19131

    Buffer Overflow in LibTiff allows attackers to cause
    a denial of service via the "invertImage()" function
    in the component "tiffcrop".

CVE-2020-19144

    Buffer Overflow in LibTiff allows attackers to cause
    a denial of service via the 'in _TIFFmemcpy' funtion
    in the component 'tif_unix.c'.

For Debian 9 stretch, these problems have been fixed in version
4.0.8-2+deb9u7.

We recommend that you upgrade your tiff packages.

For the detailed security status of tiff please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tiff

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmFZHdsACgkQgj6WdgbD
S5ZE+xAA0WThKamaHcNXZmtPQhJEuE12jES5ZxLtzcMWx+nY/6N+pfQC7Y1PEkf0
fyxYxcHSwN5t3XWBzJ3IB9JQC/CyHXNp2cNXicE6NaI3Fj0p7WuzXZ9TFbIoX9Uf
q3bVfSyquCkpdVbfus2cO+SLUOyESKUgi/m+h2ymIMzH3qPICaC12hmUpbJdFBE6
qlbUOdlOiLnagSt+tKke16IdAidTzDdizPDtxu0y+2VTpFCOe+mVWUpvphg6C1z8
5fcssAcLGbvaMTV1XqMcA/dmXzyyhgEvUlcIhSHvJPRGPrNMbvzPSs0oikzNqDWg
ECetgoQXOrNqXVTa55/SUK1oO+YQwcBC32EzmuV5vMKgTwDjU6oZ8G57ug1q4w6B
sDJlVvjWs4z5qYyMekTunC/84l4GQK0ut4+C64X+x31wJCLa7eQj7zuijDUYj4+c
rQOmi7wO62Mh7/mHfPeUsvrtkcx0xZw6GUoTesrGrkpzjJXiyMmBvvF09V0+m9ie
nLo4e/ojp5WecBtCGoPkGx1UuEBlNj153T1zrDlRLbv6QiEp2ip0oOksABF9qXtE
qTnCHd8W2N4lfN1Tca0aOQMQDXdnxW3Pj+lLzeA7UhwTO8ldrj9AnUZzUFyjknQI
nOaAZVdGVZod9tbzHK5uZeuYTSqDCrt4kJj0YB7msl80lTojL18=
=qdmq
-----END PGP SIGNATURE-----
Reply to: