important: qt5-qtimageformats/microcode_ctl security update
important
An update for qt5-qtimageformats/microcode_ctl is now available for NewStart CGSL MAIN 5.04/CGSL CORE 5.04.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
qt5-qtimageformats: This package provides debug information for package qt5-qtimageformats. Debug information is useful when developing applications that use this package or when debugging this package.
microcode_ctl: The microcode_ctl utility is a companion to the microcode driver written by Tigran Aivazian
Security Fix(es):
qt5-qtimageformats: A flaw was found in libwebp in versions before 1.0.1. A heap-based buffer overflow in function WebPDecodeRGBInto is possible due to an invalid check for buffer size. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-36328)
qt5-qtimageformats: A flaw was found in libwebp. A use-after-free was found due to a thread being killed too early. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-36329)
qt5-qtimageformats: A flaw was found in libwebp in versions before 1.0.1. An unitialized variable is used in function ReadSymbol. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2018-25014)
qt5-qtimageformats: A flaw was found in libwebp. A heap-based buffer overflow was found in PutLE16(). The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2018-25011)
qt5-qtimageformats: bugfix
microcode_ctl: Domain-bypass transient execution vulnerability in some Intel Atom(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.(CVE-2020-24513)
microcode_ctl: Improper isolation of shared resources in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.(CVE-2020-24511)
microcode_ctl: Observable timing discrepancy in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.(CVE-2020-24512)
microcode_ctl: A flaw was found in the Intel Advanced Vector Extensions (AVX) implementation, where a local authenticated attacker with the ability to execute AVX instructions can gather the AVX register state from previous AVX executions. This vulnerability allows information disclosure of the AVX register state.(CVE-2020-8696)
microcode_ctl: A flaw was found in Intel® VT-d products. Entries from the context cache on some types of context cache invalidations may not be properly invalidated which may allow an authenticated user to potentially enable escalation of privilege via local access. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-24489)
microcode_ctl: bugfix
Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 5.04.F34B4.