安全公告详情

NS-SA-2020-0015

2020-03-04 10:24:27

简介

critical: openslp/freetype security update

严重级别

critical

主题

An update for openslp/freetype is now available for NewStart CGSL MAIN 4.05.
NewStart Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

openslp: This package provides debug information for package openslp. Debug information is useful when developing applications that use this package or when debugging this package.
freetype: The FreeType engine is a free and portable font rendering engine, developed to provide advanced font support for a variety of platforms and environments. FreeType is a library which can open and manages font files as well as efficiently load, hint and render individual glyphs. FreeType is not a font server or a complete text-rendering library.


Security Fix(es):
openslp: OpenSLP as used in ESXi and the Horizon DaaS appliances has a heap overwrite issue. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.(CVE-2019-5544)
openslp: bugfix
freetype: FreeType before 2.6.1 has a heap-based buffer over-read in T1_Get_Private_Dict in type1/t1parse.c.(CVE-2015-9381)
freetype: FreeType before 2.6.1 has a buffer over-read in skip_comment in psaux/psobjs.c because ps_parser_skip_PS_token is mishandled in an FT_New_Memory_Face operation.(CVE-2015-9382)
freetype: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 4.05.F17.

影响组件

  • openslp
  • freetype

影响产品

  • CGSL MAIN 4.05

更新包

{"fix":[{"product":"CGSL MAIN 4.05","pkgs":[{"binary":["openslp-2.0.0-4.el6_10.x86_64.rpm","openslp-debuginfo-2.0.0-4.el6_10.x86_64.rpm","openslp-devel-2.0.0-4.el6_10.x86_64.rpm","openslp-server-2.0.0-4.el6_10.x86_64.rpm"],"source":"openslp-2.0.0-4.el6_10.src.rpm"},{"binary":["freetype-2.3.11-19.el6_10.x86_64.rpm","freetype-demos-2.3.11-19.el6_10.x86_64.rpm","freetype-debuginfo-2.3.11-19.el6_10.x86_64.rpm","freetype-devel-2.3.11-19.el6_10.x86_64.rpm"],"source":"freetype-2.3.11-19.el6_10.src.rpm"}]}]}

CVE

参考