moderate: libwebp/nettle security update
moderate
An update for libwebp/nettle is now available for NewStart CGSL MAIN 6.02.
NewStart Security has rated this update as having a security impact of moderate. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
libwebp: This package provides debug information for package libwebp-tools. Debug information is useful when developing applications that use this package or when debugging this package.
nettle: This package provides debug sources for package nettle. Debug sources are useful when developing applications that use this package or when debugging this package.
Security Fix(es):
libwebp: A flaw was found in libwebp. An out-of-bounds read was found in function ShiftBytes. The highest threat from this vulnerability is to data confidentiality and to the service availability.(CVE-2018-25013)
libwebp: A flaw was found in libwebp. An out-of-bounds read was found in function ApplyFilter. The highest threat from this vulnerability is to data confidentiality and to the service availability.(CVE-2018-25010)
libwebp: A flaw was found in libwebp. An out-of-bounds read was found in function ChunkAssignData. The highest threat from this vulnerability is to data confidentiality and to the service availability.(CVE-2020-36331)
libwebp: A flaw was found in libwebp. An out-of-bounds read was found in function ChunkVerifyAndAssign. The highest threat from this vulnerability is to data confidentiality and to the service availability.(CVE-2020-36330)
libwebp: A flaw was found in libwebp. When reading a file libwebp allocates an excessive amount of memory. The highest threat from this vulnerability is to the service availability.(CVE-2020-36332)
libwebp: A flaw was found in libwebp. An out-of-bounds read was found in function WebPMuxCreateInternal. The highest threat from this vulnerability is to data confidentiality and to the service availability.(CVE-2018-25009)
libwebp: A flaw was found in libwebp. An out-of-bounds read was found in function WebPMuxCreateInternal. The highest threat from this vulnerability is to data confidentiality and to the service availability.(CVE-2018-25012)
libwebp: A flaw was found in libwebp. An unitialized variable is used in function ReadSymbol. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2018-25014)
libwebp: bugfix
nettle: A flaw was found in gnutls. A use after free issue in client_send_params in lib/ext/pre_shared_key.c may lead to memory corruption and other potential consequences.(CVE-2021-20232)
nettle: A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and other consequences.(CVE-2021-20231)
nettle: A flaw was found in nettle in the way its RSA decryption functions handle specially crafted ciphertext. This flaw allows an attacker to provide a manipulated ciphertext, leading to an application crash and a denial of service.(CVE-2021-3580)
nettle: bugfix
Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 6.02.B0B9.