Security update for libvpx SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2020:0459-1 Final 1 1 2020-02-25T10:02:29Z current 2020-02-25T10:02:29Z 2020-02-25T10:02:29Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libvpx This update for libvpx fixes the following issues: - CVE-2019-9232: Fixed an out of bound memory access (bsc#1160613). - CVE-2019-9433: Fixdd a use-after-free in vp8_deblock() (bsc#1160614). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container caasp/v4/nginx-ingress-controller:beta1-2020-459,Image SLES12-SP5-Azure-SAP-BYOS-2020-459,Image SLES12-SP5-Azure-SAP-On-Demand-2020-459,Image SLES12-SP5-EC2-SAP-BYOS-2020-459,Image SLES12-SP5-EC2-SAP-On-Demand-2020-459,Image SLES12-SP5-GCE-SAP-BYOS-2020-459,Image SLES12-SP5-GCE-SAP-On-Demand-2020-459,Image SLES12-SP5-OCI-BYOS-SAP-BYOS-2020-459,Image SLES12-SP5-SAP-Azure-LI-BYOS-Production-2020-459,Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production-2020-459,SUSE-2020-459,SUSE-SLE-SDK-12-SP4-2020-459,SUSE-SLE-SDK-12-SP5-2020-459,SUSE-SLE-SERVER-12-SP4-2020-459,SUSE-SLE-SERVER-12-SP5-2020-459,SUSE-SLE-WE-12-SP4-2020-459,SUSE-SLE-WE-12-SP5-2020-459 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2020/suse-su-20200459-1/ Link for SUSE-SU-2020:0459-1 https://lists.suse.com/pipermail/sle-security-updates/2020-February/006524.html E-Mail link for SUSE-SU-2020:0459-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1160613 SUSE Bug 1160613 https://bugzilla.suse.com/1160614 SUSE Bug 1160614 https://www.suse.com/security/cve/CVE-2019-9232/ SUSE CVE CVE-2019-9232 page https://www.suse.com/security/cve/CVE-2019-9433/ SUSE CVE CVE-2019-9433 page Container caasp/v4/nginx-ingress-controller:beta1 Image SLES12-SP5-Azure-SAP-BYOS Image SLES12-SP5-Azure-SAP-On-Demand Image SLES12-SP5-EC2-SAP-BYOS Image SLES12-SP5-EC2-SAP-On-Demand Image SLES12-SP5-GCE-SAP-BYOS Image SLES12-SP5-GCE-SAP-On-Demand Image SLES12-SP5-OCI-BYOS-SAP-BYOS Image SLES12-SP5-SAP-Azure-LI-BYOS-Production Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE Linux Enterprise Software Development Kit 12 SP4 SUSE Linux Enterprise Software Development Kit 12 SP5 SUSE Linux Enterprise Workstation Extension 12 SP4 SUSE Linux Enterprise Workstation Extension 12 SP5 libvpx1-1.3.0-3.6.1 libvpx-devel-1.3.0-3.6.1 libvpx1-32bit-1.3.0-3.6.1 libvpx1-64bit-1.3.0-3.6.1 vpx-tools-1.3.0-3.6.1 libvpx1-1.3.0-3.6.1 as a component of Container caasp/v4/nginx-ingress-controller:beta1 libvpx1-1.3.0-3.6.1 as a component of Image SLES12-SP5-Azure-SAP-BYOS libvpx1-1.3.0-3.6.1 as a component of Image SLES12-SP5-Azure-SAP-On-Demand libvpx1-1.3.0-3.6.1 as a component of Image SLES12-SP5-EC2-SAP-BYOS libvpx1-1.3.0-3.6.1 as a component of Image SLES12-SP5-EC2-SAP-On-Demand libvpx1-1.3.0-3.6.1 as a component of Image SLES12-SP5-GCE-SAP-BYOS libvpx1-1.3.0-3.6.1 as a component of Image SLES12-SP5-GCE-SAP-On-Demand libvpx1-1.3.0-3.6.1 as a component of Image SLES12-SP5-OCI-BYOS-SAP-BYOS libvpx1-1.3.0-3.6.1 as a component of Image SLES12-SP5-SAP-Azure-LI-BYOS-Production libvpx1-1.3.0-3.6.1 as a component of Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production libvpx1-1.3.0-3.6.1 as a component of SUSE Linux Enterprise Server 12 SP4 libvpx1-1.3.0-3.6.1 as a component of SUSE Linux Enterprise Server 12 SP5 libvpx1-1.3.0-3.6.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 libvpx1-1.3.0-3.6.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 libvpx-devel-1.3.0-3.6.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP4 libvpx-devel-1.3.0-3.6.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP5 libvpx1-32bit-1.3.0-3.6.1 as a component of SUSE Linux Enterprise Workstation Extension 12 SP4 vpx-tools-1.3.0-3.6.1 as a component of SUSE Linux Enterprise Workstation Extension 12 SP4 libvpx1-32bit-1.3.0-3.6.1 as a component of SUSE Linux Enterprise Workstation Extension 12 SP5 vpx-tools-1.3.0-3.6.1 as a component of SUSE Linux Enterprise Workstation Extension 12 SP5 In libvpx, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-122675483 CVE-2019-9232 Container caasp/v4/nginx-ingress-controller:beta1:libvpx1-1.3.0-3.6.1 Image SLES12-SP5-Azure-SAP-BYOS:libvpx1-1.3.0-3.6.1 Image SLES12-SP5-Azure-SAP-On-Demand:libvpx1-1.3.0-3.6.1 Image SLES12-SP5-EC2-SAP-BYOS:libvpx1-1.3.0-3.6.1 Image SLES12-SP5-EC2-SAP-On-Demand:libvpx1-1.3.0-3.6.1 Image SLES12-SP5-GCE-SAP-BYOS:libvpx1-1.3.0-3.6.1 Image SLES12-SP5-GCE-SAP-On-Demand:libvpx1-1.3.0-3.6.1 Image SLES12-SP5-OCI-BYOS-SAP-BYOS:libvpx1-1.3.0-3.6.1 Image SLES12-SP5-SAP-Azure-LI-BYOS-Production:libvpx1-1.3.0-3.6.1 Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production:libvpx1-1.3.0-3.6.1 SUSE Linux Enterprise Server 12 SP4:libvpx1-1.3.0-3.6.1 SUSE Linux Enterprise Server 12 SP5:libvpx1-1.3.0-3.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libvpx1-1.3.0-3.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:libvpx1-1.3.0-3.6.1 SUSE Linux Enterprise Software Development Kit 12 SP4:libvpx-devel-1.3.0-3.6.1 SUSE Linux Enterprise Software Development Kit 12 SP5:libvpx-devel-1.3.0-3.6.1 SUSE Linux Enterprise Workstation Extension 12 SP4:libvpx1-32bit-1.3.0-3.6.1 SUSE Linux Enterprise Workstation Extension 12 SP4:vpx-tools-1.3.0-3.6.1 SUSE Linux Enterprise Workstation Extension 12 SP5:libvpx1-32bit-1.3.0-3.6.1 SUSE Linux Enterprise Workstation Extension 12 SP5:vpx-tools-1.3.0-3.6.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20200459-1/ https://www.suse.com/security/cve/CVE-2019-9232.html CVE-2019-9232 https://bugzilla.suse.com/1160613 SUSE Bug 1160613 In libvpx, there is a possible information disclosure due to improper input validation. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-80479354 CVE-2019-9433 Container caasp/v4/nginx-ingress-controller:beta1:libvpx1-1.3.0-3.6.1 Image SLES12-SP5-Azure-SAP-BYOS:libvpx1-1.3.0-3.6.1 Image SLES12-SP5-Azure-SAP-On-Demand:libvpx1-1.3.0-3.6.1 Image SLES12-SP5-EC2-SAP-BYOS:libvpx1-1.3.0-3.6.1 Image SLES12-SP5-EC2-SAP-On-Demand:libvpx1-1.3.0-3.6.1 Image SLES12-SP5-GCE-SAP-BYOS:libvpx1-1.3.0-3.6.1 Image SLES12-SP5-GCE-SAP-On-Demand:libvpx1-1.3.0-3.6.1 Image SLES12-SP5-OCI-BYOS-SAP-BYOS:libvpx1-1.3.0-3.6.1 Image SLES12-SP5-SAP-Azure-LI-BYOS-Production:libvpx1-1.3.0-3.6.1 Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production:libvpx1-1.3.0-3.6.1 SUSE Linux Enterprise Server 12 SP4:libvpx1-1.3.0-3.6.1 SUSE Linux Enterprise Server 12 SP5:libvpx1-1.3.0-3.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libvpx1-1.3.0-3.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:libvpx1-1.3.0-3.6.1 SUSE Linux Enterprise Software Development Kit 12 SP4:libvpx-devel-1.3.0-3.6.1 SUSE Linux Enterprise Software Development Kit 12 SP5:libvpx-devel-1.3.0-3.6.1 SUSE Linux Enterprise Workstation Extension 12 SP4:libvpx1-32bit-1.3.0-3.6.1 SUSE Linux Enterprise Workstation Extension 12 SP4:vpx-tools-1.3.0-3.6.1 SUSE Linux Enterprise Workstation Extension 12 SP5:libvpx1-32bit-1.3.0-3.6.1 SUSE Linux Enterprise Workstation Extension 12 SP5:vpx-tools-1.3.0-3.6.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20200459-1/ https://www.suse.com/security/cve/CVE-2019-9433.html CVE-2019-9433 https://bugzilla.suse.com/1160614 SUSE Bug 1160614