[gentoo-announce] [ GLSA 201908-03 ] JasPer: Multiple vulnerabilities - gentoo-announce

From:	Aaron Bauman <bman@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 201908-03 ] JasPer: Multiple vulnerabilities
Date:	Fri, 09 Aug 2019 20:47:16
Message-Id:	`20190809203858.GB6479@bubba.lan`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201908-03

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: JasPer: Multiple vulnerabilities

9

     Date: August 09, 2019

10

     Bugs: #614028, #614032, #624988, #629286, #635552, #662160,

11

           #674154, #674214

12

       ID: 201908-03

13

14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

15

16

Synopsis

17

========

18

19

Multiple vulnerabilities have been found in JasPer, the worst of which

20

could result in a Denial of Service condition.

21

22

Background

23

==========

24

25

JasPer is a software-based implementation of the codec specified in the

26

JPEG-2000 Part-1 standard.

27

28

Affected packages

29

=================

30

31

    -------------------------------------------------------------------

32

     Package              /     Vulnerable     /            Unaffected

33

    -------------------------------------------------------------------

34

  1  media-libs/jasper           <= 2.0.16                        >=  

35

36

Description

37

===========

38

39

Multiple vulnerabilities have been discovered in JasPer. Please review

40

the CVE identifiers referenced below for details.

41

42

Impact

43

======

44

45

Please review the referenced CVE identifiers for details.

46

47

Workaround

48

==========

49

50

There is no known workaround at this time.

51

52

Resolution

53

==========

54

55

JasPer is no longer maintained upstream and contains many

56

vulnerabilities which remain unaddressed. Gentoo users are advised to

57

unmerge this package.

58

59

  # emerge --unmerge media-libs/jasper

60

61

References

62

==========

63

64

[  1 ] CVE-2017-1000050

65

       https://nvd.nist.gov/vuln/detail/CVE-2017-1000050

66

[  2 ] CVE-2017-13745

67

       https://nvd.nist.gov/vuln/detail/CVE-2017-13745

68

[  3 ] CVE-2017-13746

69

       https://nvd.nist.gov/vuln/detail/CVE-2017-13746

70

[  4 ] CVE-2017-13747

71

       https://nvd.nist.gov/vuln/detail/CVE-2017-13747

72

[  5 ] CVE-2017-13748

73

       https://nvd.nist.gov/vuln/detail/CVE-2017-13748

74

[  6 ] CVE-2017-13749

75

       https://nvd.nist.gov/vuln/detail/CVE-2017-13749

76

[  7 ] CVE-2017-13750

77

       https://nvd.nist.gov/vuln/detail/CVE-2017-13750

78

[  8 ] CVE-2017-13751

79

       https://nvd.nist.gov/vuln/detail/CVE-2017-13751

80

[  9 ] CVE-2017-13752

81

       https://nvd.nist.gov/vuln/detail/CVE-2017-13752

82

[ 10 ] CVE-2017-13753

83

       https://nvd.nist.gov/vuln/detail/CVE-2017-13753

84

[ 11 ] CVE-2017-14132

85

       https://nvd.nist.gov/vuln/detail/CVE-2017-14132

86

[ 12 ] CVE-2017-14229

87

       https://nvd.nist.gov/vuln/detail/CVE-2017-14229

88

[ 13 ] CVE-2017-14232

89

       https://nvd.nist.gov/vuln/detail/CVE-2017-14232

90

[ 14 ] CVE-2017-5503

91

       https://nvd.nist.gov/vuln/detail/CVE-2017-5503

92

[ 15 ] CVE-2017-5504

93

       https://nvd.nist.gov/vuln/detail/CVE-2017-5504

94

[ 16 ] CVE-2017-5505

95

       https://nvd.nist.gov/vuln/detail/CVE-2017-5505

96

[ 17 ] CVE-2017-6851

97

       https://nvd.nist.gov/vuln/detail/CVE-2017-6851

98

[ 18 ] CVE-2017-6852

99

       https://nvd.nist.gov/vuln/detail/CVE-2017-6852

100

[ 19 ] CVE-2017-9782

101

       https://nvd.nist.gov/vuln/detail/CVE-2017-9782

102

[ 20 ] CVE-2018-18873

103

       https://nvd.nist.gov/vuln/detail/CVE-2018-18873

104

[ 21 ] CVE-2018-20584

105

       https://nvd.nist.gov/vuln/detail/CVE-2018-20584

106

[ 22 ] CVE-2018-9055

107

       https://nvd.nist.gov/vuln/detail/CVE-2018-9055

108

[ 23 ] CVE-2018-9154

109

       https://nvd.nist.gov/vuln/detail/CVE-2018-9154

110

111

Availability

112

============

113

114

This GLSA and any updates to it are available for viewing at

115

the Gentoo Security Website:

116

117

 https://security.gentoo.org/glsa/201908-03

118

119

Concerns?

120

=========

121

122

Security is a primary focus of Gentoo Linux and ensuring the

123

confidentiality and security of our users' machines is of utmost

124

importance to us. Any security concerns should be addressed to

125

security@g.o or alternatively, you may file a bug at

126

https://bugs.gentoo.org.

127

128

License

129

=======

130

131

Copyright 2019 Gentoo Foundation, Inc; referenced text

132

belongs to its owner(s).

133

134

The contents of this document are licensed under the

135

Creative Commons - Attribution / Share Alike license.

136

137

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201908-03
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: JasPer: Multiple vulnerabilities
9	Date: August 09, 2019
10	Bugs: #614028, #614032, #624988, #629286, #635552, #662160,
11	#674154, #674214
12	ID: 201908-03
13
14	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15
16	Synopsis
17	========
18
19	Multiple vulnerabilities have been found in JasPer, the worst of which
20	could result in a Denial of Service condition.
21
22	Background
23	==========
24
25	JasPer is a software-based implementation of the codec specified in the
26	JPEG-2000 Part-1 standard.
27
28	Affected packages
29	=================
30
31	-------------------------------------------------------------------
32	Package / Vulnerable / Unaffected
33	-------------------------------------------------------------------
34	1 media-libs/jasper <= 2.0.16 >=
35
36	Description
37	===========
38
39	Multiple vulnerabilities have been discovered in JasPer. Please review
40	the CVE identifiers referenced below for details.
41
42	Impact
43	======
44
45	Please review the referenced CVE identifiers for details.
46
47	Workaround
48	==========
49
50	There is no known workaround at this time.
51
52	Resolution
53	==========
54
55	JasPer is no longer maintained upstream and contains many
56	vulnerabilities which remain unaddressed. Gentoo users are advised to
57	unmerge this package.
58
59	# emerge --unmerge media-libs/jasper
60
61	References
62	==========
63
64	[ 1 ] CVE-2017-1000050
65	https://nvd.nist.gov/vuln/detail/CVE-2017-1000050
66	[ 2 ] CVE-2017-13745
67	https://nvd.nist.gov/vuln/detail/CVE-2017-13745
68	[ 3 ] CVE-2017-13746
69	https://nvd.nist.gov/vuln/detail/CVE-2017-13746
70	[ 4 ] CVE-2017-13747
71	https://nvd.nist.gov/vuln/detail/CVE-2017-13747
72	[ 5 ] CVE-2017-13748
73	https://nvd.nist.gov/vuln/detail/CVE-2017-13748
74	[ 6 ] CVE-2017-13749
75	https://nvd.nist.gov/vuln/detail/CVE-2017-13749
76	[ 7 ] CVE-2017-13750
77	https://nvd.nist.gov/vuln/detail/CVE-2017-13750
78	[ 8 ] CVE-2017-13751
79	https://nvd.nist.gov/vuln/detail/CVE-2017-13751
80	[ 9 ] CVE-2017-13752
81	https://nvd.nist.gov/vuln/detail/CVE-2017-13752
82	[ 10 ] CVE-2017-13753
83	https://nvd.nist.gov/vuln/detail/CVE-2017-13753
84	[ 11 ] CVE-2017-14132
85	https://nvd.nist.gov/vuln/detail/CVE-2017-14132
86	[ 12 ] CVE-2017-14229
87	https://nvd.nist.gov/vuln/detail/CVE-2017-14229
88	[ 13 ] CVE-2017-14232
89	https://nvd.nist.gov/vuln/detail/CVE-2017-14232
90	[ 14 ] CVE-2017-5503
91	https://nvd.nist.gov/vuln/detail/CVE-2017-5503
92	[ 15 ] CVE-2017-5504
93	https://nvd.nist.gov/vuln/detail/CVE-2017-5504
94	[ 16 ] CVE-2017-5505
95	https://nvd.nist.gov/vuln/detail/CVE-2017-5505
96	[ 17 ] CVE-2017-6851
97	https://nvd.nist.gov/vuln/detail/CVE-2017-6851
98	[ 18 ] CVE-2017-6852
99	https://nvd.nist.gov/vuln/detail/CVE-2017-6852
100	[ 19 ] CVE-2017-9782
101	https://nvd.nist.gov/vuln/detail/CVE-2017-9782
102	[ 20 ] CVE-2018-18873
103	https://nvd.nist.gov/vuln/detail/CVE-2018-18873
104	[ 21 ] CVE-2018-20584
105	https://nvd.nist.gov/vuln/detail/CVE-2018-20584
106	[ 22 ] CVE-2018-9055
107	https://nvd.nist.gov/vuln/detail/CVE-2018-9055
108	[ 23 ] CVE-2018-9154
109	https://nvd.nist.gov/vuln/detail/CVE-2018-9154
110
111	Availability
112	============
113
114	This GLSA and any updates to it are available for viewing at
115	the Gentoo Security Website:
116
117	https://security.gentoo.org/glsa/201908-03
118
119	Concerns?
120	=========
121
122	Security is a primary focus of Gentoo Linux and ensuring the
123	confidentiality and security of our users' machines is of utmost
124	importance to us. Any security concerns should be addressed to
125	security@g.o or alternatively, you may file a bug at
126	https://bugs.gentoo.org.
127
128	License
129	=======
130
131	Copyright 2019 Gentoo Foundation, Inc; referenced text
132	belongs to its owner(s).
133
134	The contents of this document are licensed under the
135	Creative Commons - Attribution / Share Alike license.
136
137	https://creativecommons.org/licenses/by-sa/2.5