Debian alert DLA-1690-1 (liblivemedia)
| From: | Hugo Lefeuvre <hle@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 1690-1] liblivemedia security update | |
| Date: | Tue, 26 Feb 2019 12:51:37 +0100 | |
| Message-ID: | <20190226115137.GA7644@behemoth.owl.eu.com.local> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : liblivemedia Version : 2014.01.13-1+deb8u2 CVE ID : CVE-2019-6256 CVE-2019-7314 Debian Bug : 919529 Multiple vulnerabilities have been discovered in liblivemedia, the LIVE555 RTSP server library: CVE-2019-6256 liblivemedia servers with RTSP-over-HTTP tunneling enabled are vulnerable to an invalid function pointer dereference. This issue might happen during error handling when processing two GET and POST requests being sent with identical x-sessioncookie within the same TCP session and might be leveraged by remote attackers to cause DoS. CVE-2019-7314 liblivemedia servers with RTSP-over-HTTP tunneling enabled are affected by a use-after-free vulnerability. This vulnerability might be triggered by remote attackers to cause DoS (server crash) or possibly unspecified other impact. For Debian 8 "Jessie", these problems have been fixed in version 2014.01.13-1+deb8u2. We recommend that you upgrade your liblivemedia packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlx1J7YACgkQZYVUZx9w 0DQgzgf/SlZIr7JF9izZiddDLqDnVOF1L2HZzyh8i71quc28ny1ODooPxHlL00Wn KQaBbF94HhGh4JwOfHtwP/2HvkDugm2VJDugMHs/eiPEdMmWNzHqG7f/nbpxB1Aj wcbyUWrbEMHDfln4BVbSxQ70lwI9oXduIs8QzVBkX/2K16im1xrrJPbskOVZ3vFq 42GmKFKvLpoSkiInbKLuvTgaF55SHFnpSubV+H9rSZK5fI+82qAbJGpSrx10Cvzg 46mK0Paq0JIGXSCCKW/ovrmwPGQl3O+PDPyav2PNx9YxH0gxpwbLnxMrdftq9gWk gp0LWsd3SL1k0h3A6pFMycux36XOOQ== =Tq/2 -----END PGP SIGNATURE-----