var-202105-1460
Vulnerability from variot

A flaw was found in libwebp in versions before 1.0.1. A use-after-free was found due to a thread being killed too early. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. libwebp Is vulnerable to the use of freed memory.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

APPLE-SA-2021-07-21-1 iOS 14.7 and iPadOS 14.7

iOS 14.7 and iPadOS 14.7 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT212601.

iOS 14.7 released July 19, 2021; iPadOS 14.7 released July 21, 2021

ActionKit Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: A shortcut may be able to bypass Internet permission requirements Description: An input validation issue was addressed with improved input validation. CVE-2021-30763: Zachary Keffaber (@QuickUpdate5)

Audio Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: A local attacker may be able to cause unexpected application termination or arbitrary code execution Description: This issue was addressed with improved checks. CVE-2021-30781: tr3e

AVEVideoEncoder Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved state management. CVE-2021-30748: George Nosenko

CoreAudio Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved state management. CVE-2021-30775: JunDong Xie of Ant Security Light-Year Lab

CoreAudio Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: Playing a malicious audio file may lead to an unexpected application termination Description: A logic issue was addressed with improved validation. CVE-2021-30776: JunDong Xie of Ant Security Light-Year Lab

CoreGraphics Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: A race condition was addressed with improved state handling. CVE-2021-30786: ryuzaki

CoreText Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: An out-of-bounds read was addressed with improved input validation. CVE-2021-30789: Mickey Jin (@patch1t) of Trend Micro, Sunglin of Knownsec 404 team

Crash Reporter Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: A malicious application may be able to gain root privileges Description: A logic issue was addressed with improved validation. CVE-2021-30774: Yizhuo Wang of Group of Software Security In Progress (G.O.S.S.I.P) at Shanghai Jiao Tong University

CVMS Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: A malicious application may be able to gain root privileges Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2021-30780: Tim Michaud(@TimGMichaud) of Zoom Video Communications

dyld Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: A sandboxed process may be able to circumvent sandbox restrictions Description: A logic issue was addressed with improved validation. CVE-2021-30768: Linus Henze (pinauten.de)

Find My Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: A malicious application may be able to access Find My data Description: A permissions issue was addressed with improved validation. CVE-2021-30804: Csaba Fitzl (@theevilbit) of Offensive Security

FontParser Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: An integer overflow was addressed through improved input validation. CVE-2021-30760: Sunglin of Knownsec 404 team

FontParser Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: Processing a maliciously crafted tiff file may lead to a denial-of-service or potentially disclose memory contents Description: This issue was addressed with improved checks. CVE-2021-30788: tr3e working with Trend Micro Zero Day Initiative

FontParser Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: A stack overflow was addressed with improved input validation. CVE-2021-30759: hjy79425575 working with Trend Micro Zero Day Initiative

Identity Service Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: A malicious application may be able to bypass code signing checks Description: An issue in code signature validation was addressed with improved checks. CVE-2021-30773: Linus Henze (pinauten.de)

Image Processing Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A use after free issue was addressed with improved memory management. CVE-2021-30802: Matthew Denton of Google Chrome Security

ImageIO Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: This issue was addressed with improved checks. CVE-2021-30779: Jzhu, Ye Zhang(@co0py_Cat) of Baidu Security

ImageIO Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: A buffer overflow was addressed with improved bounds checking. CVE-2021-30785: CFF of Topsec Alpha Team, Mickey Jin (@patch1t) of Trend Micro

Kernel Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication Description: A logic issue was addressed with improved state management. CVE-2021-30769: Linus Henze (pinauten.de)

Kernel Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations Description: A logic issue was addressed with improved validation. CVE-2021-30770: Linus Henze (pinauten.de)

libxml2 Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: A remote attacker may be able to cause arbitrary code execution Description: This issue was addressed with improved checks. CVE-2021-3518

Measure Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: Multiple issues in libwebp Description: Multiple issues were addressed by updating to version 1.2.0. CVE-2018-25010 CVE-2018-25011 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331

Model I/O Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: Processing a maliciously crafted image may lead to a denial of service Description: A logic issue was addressed with improved validation. CVE-2021-30796: Mickey Jin (@patch1t) of Trend Micro

Model I/O Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: An out-of-bounds write was addressed with improved input validation. CVE-2021-30792: Anonymous working with Trend Micro Zero Day Initiative

Model I/O Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: Processing a maliciously crafted file may disclose user information Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2021-30791: Anonymous working with Trend Micro Zero Day Initiative

TCC Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: A malicious application may be able to bypass certain Privacy preferences Description: A logic issue was addressed with improved state management. CVE-2021-30798: Mickey Jin (@patch1t) of Trend Micro

WebKit Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A type confusion issue was addressed with improved state handling. CVE-2021-30758: Christoph Guttandin of Media Codings

WebKit Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A use after free issue was addressed with improved memory management. CVE-2021-30795: Sergei Glazunov of Google Project Zero

WebKit Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: Processing maliciously crafted web content may lead to code execution Description: This issue was addressed with improved checks. CVE-2021-30797: Ivan Fratric of Google Project Zero

WebKit Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2021-30799: Sergei Glazunov of Google Project Zero

Wi-Fi Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: Joining a malicious Wi-Fi network may result in a denial of service or arbitrary code execution Description: This issue was addressed with improved checks. CVE-2021-30800: vm_call, Nozhdar Abdulkhaleq Shukri

Additional recognition

Assets We would like to acknowledge Cees Elzinga for their assistance.

CoreText We would like to acknowledge Mickey Jin (@patch1t) of Trend Micro for their assistance.

Safari We would like to acknowledge an anonymous researcher for their assistance.

Sandbox We would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive Security for their assistance.

Installation note:

This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from https://www.apple.com/itunes/

iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device.

To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About * The version after applying this update will be "14.7"

Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbURczHs1TP07VIfuZcsbuWJ6jjAFAmD4r8YACgkQZcsbuWJ6 jjB5LBAAkEy25fNpo8rg42bsyJwWsSQQxPN79JFxQ6L8tqdsM+MZk86dUKtsRQ47 mxarMf4uBwiIOtrGSCGHLIxXAzLqPY47NDhO+ls0dVxGMETkoR/287AeLnw2ITh3 DM0H/pco4hRhPh8neYTMjNPMAgkepx+r7IqbaHWapn42nRC4/2VkEtVGltVDLs3L K0UQP0cjy2w9KvRF33H3uKNCaCTJrVkDBLKWC7rPPpomwp3bfmbQHjs0ixV5Y8l5 3MfNmCuhIt34zAjVELvbE/PUXgkmsECbXHNZOct7ZLAbceneVKtSmynDtoEN0ajM JiJ6j+FCtdfB3xHk3cHqB6sQZm7fDxdK3z91MZvSZwwmdhJeHD/TxcItRlHNOYA1 FSi0Q954DpIqz3Fs4DGE7Vwz0g5+o5qup8cnw9oLXBdqZwWANuLsQlHlioPbcDhl r1DmwtghmDYFUeSMnzHu/iuRepEju+BRMS3ybCm5j+I3kyvAV8pyvqNNRLfJn+w+ Wl/lwXTtXbgsNPR7WJCBJffxB0gOGZaIG1blSGCY89t2if0vD95R5sRsrnaxuqWc qmtRdBfbmjxk/G+6t1sd4wFglTNovHiLIHXh17cwdIWMB35yFs7VA35833/rF4Oo jOF1D12o58uAewxAsK+cTixe7I9U5Awkad2Jz19V3qHnRWGqtVg\x8e1h -----END PGP SIGNATURE-----

. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

All OpenShift Container Platform 4.6 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster - -between-minor.html#understanding-upgrade-channels_updating-cluster-between - -minor

  1. Solution:

For OpenShift Container Platform 4.6 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel ease-notes.html

Details on how to access this content are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster - -cli.html

  1. Bugs fixed (https://bugzilla.redhat.com/):

1813344 - CVE-2020-7598 nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or proto payload 1979134 - Placeholder bug for OCP 4.6.0 extras release

  1. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

===================================================================== Red Hat Security Advisory

Synopsis: Important: libwebp security update Advisory ID: RHSA-2021:2260-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:2260 Issue date: 2021-06-07 CVE Names: CVE-2018-25011 CVE-2020-36328 CVE-2020-36329 =====================================================================

  1. Summary:

An update for libwebp is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

  1. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

  1. Description:

The libwebp packages provide a library and tools for the WebP graphics format. WebP is an image format with a lossy compression of digital photographic images. WebP consists of a codec based on the VP8 format, and a container based on the Resource Interchange File Format (RIFF). Webmasters, web developers and browser developers can use WebP to compress, archive, and distribute digital images more efficiently.

Security Fix(es):

  • libwebp: heap-based buffer overflow in PutLE16() (CVE-2018-25011)

  • libwebp: heap-based buffer overflow in WebPDecode*Into functions (CVE-2020-36328)

  • libwebp: use-after-free in EmitFancyRGB() in dec/io_dec.c (CVE-2020-36329)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

  1. Solution:

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

  1. Bugs fixed (https://bugzilla.redhat.com/):

1956829 - CVE-2020-36328 libwebp: heap-based buffer overflow in WebPDecode*Into functions 1956843 - CVE-2020-36329 libwebp: use-after-free in EmitFancyRGB() in dec/io_dec.c 1956919 - CVE-2018-25011 libwebp: heap-based buffer overflow in PutLE16()

  1. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source: libwebp-0.3.0-10.el7_9.src.rpm

x86_64: libwebp-0.3.0-10.el7_9.i686.rpm libwebp-0.3.0-10.el7_9.x86_64.rpm libwebp-debuginfo-0.3.0-10.el7_9.i686.rpm libwebp-debuginfo-0.3.0-10.el7_9.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

x86_64: libwebp-debuginfo-0.3.0-10.el7_9.i686.rpm libwebp-debuginfo-0.3.0-10.el7_9.x86_64.rpm libwebp-devel-0.3.0-10.el7_9.i686.rpm libwebp-devel-0.3.0-10.el7_9.x86_64.rpm libwebp-java-0.3.0-10.el7_9.x86_64.rpm libwebp-tools-0.3.0-10.el7_9.x86_64.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source: libwebp-0.3.0-10.el7_9.src.rpm

x86_64: libwebp-0.3.0-10.el7_9.i686.rpm libwebp-0.3.0-10.el7_9.x86_64.rpm libwebp-debuginfo-0.3.0-10.el7_9.i686.rpm libwebp-debuginfo-0.3.0-10.el7_9.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

x86_64: libwebp-debuginfo-0.3.0-10.el7_9.i686.rpm libwebp-debuginfo-0.3.0-10.el7_9.x86_64.rpm libwebp-devel-0.3.0-10.el7_9.i686.rpm libwebp-devel-0.3.0-10.el7_9.x86_64.rpm libwebp-java-0.3.0-10.el7_9.x86_64.rpm libwebp-tools-0.3.0-10.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source: libwebp-0.3.0-10.el7_9.src.rpm

ppc64: libwebp-0.3.0-10.el7_9.ppc.rpm libwebp-0.3.0-10.el7_9.ppc64.rpm libwebp-debuginfo-0.3.0-10.el7_9.ppc.rpm libwebp-debuginfo-0.3.0-10.el7_9.ppc64.rpm

ppc64le: libwebp-0.3.0-10.el7_9.ppc64le.rpm libwebp-debuginfo-0.3.0-10.el7_9.ppc64le.rpm

s390x: libwebp-0.3.0-10.el7_9.s390.rpm libwebp-0.3.0-10.el7_9.s390x.rpm libwebp-debuginfo-0.3.0-10.el7_9.s390.rpm libwebp-debuginfo-0.3.0-10.el7_9.s390x.rpm

x86_64: libwebp-0.3.0-10.el7_9.i686.rpm libwebp-0.3.0-10.el7_9.x86_64.rpm libwebp-debuginfo-0.3.0-10.el7_9.i686.rpm libwebp-debuginfo-0.3.0-10.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

ppc64: libwebp-debuginfo-0.3.0-10.el7_9.ppc.rpm libwebp-debuginfo-0.3.0-10.el7_9.ppc64.rpm libwebp-devel-0.3.0-10.el7_9.ppc.rpm libwebp-devel-0.3.0-10.el7_9.ppc64.rpm libwebp-java-0.3.0-10.el7_9.ppc64.rpm libwebp-tools-0.3.0-10.el7_9.ppc64.rpm

ppc64le: libwebp-debuginfo-0.3.0-10.el7_9.ppc64le.rpm libwebp-devel-0.3.0-10.el7_9.ppc64le.rpm libwebp-java-0.3.0-10.el7_9.ppc64le.rpm libwebp-tools-0.3.0-10.el7_9.ppc64le.rpm

s390x: libwebp-debuginfo-0.3.0-10.el7_9.s390.rpm libwebp-debuginfo-0.3.0-10.el7_9.s390x.rpm libwebp-devel-0.3.0-10.el7_9.s390.rpm libwebp-devel-0.3.0-10.el7_9.s390x.rpm libwebp-java-0.3.0-10.el7_9.s390x.rpm libwebp-tools-0.3.0-10.el7_9.s390x.rpm

x86_64: libwebp-debuginfo-0.3.0-10.el7_9.i686.rpm libwebp-debuginfo-0.3.0-10.el7_9.x86_64.rpm libwebp-devel-0.3.0-10.el7_9.i686.rpm libwebp-devel-0.3.0-10.el7_9.x86_64.rpm libwebp-java-0.3.0-10.el7_9.x86_64.rpm libwebp-tools-0.3.0-10.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source: libwebp-0.3.0-10.el7_9.src.rpm

x86_64: libwebp-0.3.0-10.el7_9.i686.rpm libwebp-0.3.0-10.el7_9.x86_64.rpm libwebp-debuginfo-0.3.0-10.el7_9.i686.rpm libwebp-debuginfo-0.3.0-10.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

x86_64: libwebp-debuginfo-0.3.0-10.el7_9.i686.rpm libwebp-debuginfo-0.3.0-10.el7_9.x86_64.rpm libwebp-devel-0.3.0-10.el7_9.i686.rpm libwebp-devel-0.3.0-10.el7_9.x86_64.rpm libwebp-java-0.3.0-10.el7_9.x86_64.rpm libwebp-tools-0.3.0-10.el7_9.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/

  1. References:

https://access.redhat.com/security/cve/CVE-2018-25011 https://access.redhat.com/security/cve/CVE-2020-36328 https://access.redhat.com/security/cve/CVE-2020-36329 https://access.redhat.com/security/updates/classification/#important

  1. Contact:

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1

iQIVAwUBYL4OxtzjgjWX9erEAQi1Yw//ZajpWKH7bKTBXifw2DXrc61fOReKCwR9 sQ/djSkMMo+hwhFNtqq9zHDmI81tuOzBRgzA0FzA6qeNZGzsJmNX/RrNgnep9um7 X08Dvb6+5VuHWBrrBv26wV5wGq/t2VKgGXSoJi6CDDDRlLn/RiAJzuZqhdhp3Ijn xBHIDIEYoNTYoDvbvZUVhY1kRKJ2sr3UxjcWPqDCNZdu51Z8ssW5up/Uh3NaY8yv iB7PIoIHrtBD0nGQcy5h4qE47wFbe9RdLTOaqGDAGaOrHWWT56eC72YnCYKMxO4K 8X9EXjhEmmH4a4Pl4dND7D1wiiOQe5kSA8IhYdgHVZQyo9WBJTD6g6C5IERwwjat s3Z7vhzA+/cLEo8+Jc5orRGoLArU5rOl4uqh64AEPaON9UB8bMOnqm24y+Ebyi0B S+zZ2kQ1FGeQIMnrjAer3OUcVnf26e6qNWBK+HCjdfmbhgtZxTtXyOKcM4lSFVcm LY8pLMWzZpcSCpYh15YtRRCWr4bJyX1UD8V3l2Zzek9zmFq5ogVX78KBYV3c4oWn ReVMDEpXb3bYoV/EsMk7WOaDBKM1eU2OjVp2e7r2Fnt8GESxSpZ1pKegkxXdPnmX EmPhXKZNnwh4Z4Aw2AYIsQVo9QTyvCnZjfjAy9WfIqbyg8OTGJOeQqQLlKsq6ddb YXjUcIgJv2g= =kWSg -----END PGP SIGNATURE-----

-- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . 8) - aarch64, ppc64le, s390x, x86_64

  1. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

Debian Security Advisory DSA-4930-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 10, 2021 https://www.debian.org/security/faq


Package : libwebp CVE ID : CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331 CVE-2020-36332

Multiple vulnerabilities were discovered in libwebp, the implementation of the WebP image format, which could result in denial of service, memory disclosure or potentially the execution of arbitrary code if malformed images are processed.

For the stable distribution (buster), these problems have been fixed in version 0.6.1-2+deb10u1.

We recommend that you upgrade your libwebp packages

Show details on source website


{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-202105-1460",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "enterprise linux",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "redhat",
        "version": "8.0"
      },
      {
        "model": "libwebp",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "webmproject",
        "version": "1.0.1"
      },
      {
        "model": "ipados",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "apple",
        "version": "14.7"
      },
      {
        "model": "iphone os",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "apple",
        "version": "14.7"
      },
      {
        "model": "ontap select deploy administration utility",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "netapp",
        "version": null
      },
      {
        "model": "linux",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "debian",
        "version": "10.0"
      },
      {
        "model": "linux",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "debian",
        "version": "9.0"
      },
      {
        "model": "enterprise linux",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "redhat",
        "version": "7.0"
      },
      {
        "model": "libwebp",
        "scope": null,
        "trust": 0.8,
        "vendor": "the webm",
        "version": null
      },
      {
        "model": "gnu/linux",
        "scope": null,
        "trust": 0.8,
        "vendor": "debian",
        "version": null
      },
      {
        "model": "ontap select deploy administration utility",
        "scope": null,
        "trust": 0.8,
        "vendor": "netapp",
        "version": null
      },
      {
        "model": "red hat enterprise linux",
        "scope": null,
        "trust": 0.8,
        "vendor": "\u30ec\u30c3\u30c9\u30cf\u30c3\u30c8",
        "version": null
      },
      {
        "model": "ipados",
        "scope": null,
        "trust": 0.8,
        "vendor": "\u30a2\u30c3\u30d7\u30eb",
        "version": null
      },
      {
        "model": "ios",
        "scope": null,
        "trust": 0.8,
        "vendor": "\u30a2\u30c3\u30d7\u30eb",
        "version": null
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-016581"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-36329"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:webmproject:libwebp:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.0.1",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "14.7",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "14.7",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2020-36329"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Red Hat",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "163504"
      },
      {
        "db": "PACKETSTORM",
        "id": "162998"
      },
      {
        "db": "PACKETSTORM",
        "id": "163029"
      },
      {
        "db": "PACKETSTORM",
        "id": "163058"
      },
      {
        "db": "PACKETSTORM",
        "id": "163061"
      }
    ],
    "trust": 0.5
  },
  "cve": "CVE-2020-36329",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "HIGH",
            "trust": 1.0,
            "userInteractionRequired": false,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Network",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "Partial",
            "baseScore": 7.5,
            "confidentialityImpact": "Partial",
            "exploitabilityScore": null,
            "id": "CVE-2020-36329",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "High",
            "trust": 0.9,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "id": "VHN-391908",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "HIGH",
            "trust": 0.1,
            "vectorString": "AV:N/AC:L/AU:N/C:P/I:P/A:P",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 3.9,
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "High",
            "baseScore": 9.8,
            "baseSeverity": "Critical",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "CVE-2020-36329",
            "impactScore": null,
            "integrityImpact": "High",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2020-36329",
            "trust": 1.8,
            "value": "CRITICAL"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202105-1393",
            "trust": 0.6,
            "value": "CRITICAL"
          },
          {
            "author": "VULHUB",
            "id": "VHN-391908",
            "trust": 0.1,
            "value": "HIGH"
          },
          {
            "author": "VULMON",
            "id": "CVE-2020-36329",
            "trust": 0.1,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-391908"
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-36329"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-016581"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202105-1393"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-36329"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "A flaw was found in libwebp in versions before 1.0.1. A use-after-free was found due to a thread being killed too early. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. libwebp Is vulnerable to the use of freed memory.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\nAPPLE-SA-2021-07-21-1 iOS 14.7 and iPadOS 14.7\n\niOS 14.7 and iPadOS 14.7 addresses the following issues. \nInformation about the security content is also available at\nhttps://support.apple.com/HT212601. \n\niOS 14.7 released July 19, 2021; iPadOS 14.7 released July 21, 2021\n\nActionKit\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2\nand later, iPad 5th generation and later, iPad mini 4 and later, and\niPod touch (7th generation)\nImpact: A shortcut may be able to bypass Internet permission\nrequirements\nDescription: An input validation issue was addressed with improved\ninput validation. \nCVE-2021-30763: Zachary Keffaber (@QuickUpdate5)\n\nAudio\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2\nand later, iPad 5th generation and later, iPad mini 4 and later, and\niPod touch (7th generation)\nImpact: A local attacker may be able to cause unexpected application\ntermination or arbitrary code execution\nDescription: This issue was addressed with improved checks. \nCVE-2021-30781: tr3e\n\nAVEVideoEncoder\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2\nand later, iPad 5th generation and later, iPad mini 4 and later, and\niPod touch (7th generation)\nImpact: An application may be able to execute arbitrary code with\nkernel privileges\nDescription: A memory corruption issue was addressed with improved\nstate management. \nCVE-2021-30748: George Nosenko\n\nCoreAudio\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2\nand later, iPad 5th generation and later, iPad mini 4 and later, and\niPod touch (7th generation)\nImpact: Processing a maliciously crafted audio file may lead to\narbitrary code execution\nDescription: A memory corruption issue was addressed with improved\nstate management. \nCVE-2021-30775: JunDong Xie of Ant Security Light-Year Lab\n\nCoreAudio\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2\nand later, iPad 5th generation and later, iPad mini 4 and later, and\niPod touch (7th generation)\nImpact: Playing a malicious audio file may lead to an unexpected\napplication termination\nDescription: A logic issue was addressed with improved validation. \nCVE-2021-30776: JunDong Xie of Ant Security Light-Year Lab\n\nCoreGraphics\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2\nand later, iPad 5th generation and later, iPad mini 4 and later, and\niPod touch (7th generation)\nImpact: Opening a maliciously crafted PDF file may lead to an\nunexpected application termination or arbitrary code execution\nDescription: A race condition was addressed with improved state\nhandling. \nCVE-2021-30786: ryuzaki\n\nCoreText\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2\nand later, iPad 5th generation and later, iPad mini 4 and later, and\niPod touch (7th generation)\nImpact: Processing a maliciously crafted font file may lead to\narbitrary code execution\nDescription: An out-of-bounds read was addressed with improved input\nvalidation. \nCVE-2021-30789: Mickey Jin (@patch1t) of Trend Micro, Sunglin of\nKnownsec 404 team\n\nCrash Reporter\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2\nand later, iPad 5th generation and later, iPad mini 4 and later, and\niPod touch (7th generation)\nImpact: A malicious application may be able to gain root privileges\nDescription: A logic issue was addressed with improved validation. \nCVE-2021-30774: Yizhuo Wang of Group of Software Security In\nProgress (G.O.S.S.I.P) at Shanghai Jiao Tong University\n\nCVMS\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2\nand later, iPad 5th generation and later, iPad mini 4 and later, and\niPod touch (7th generation)\nImpact: A malicious application may be able to gain root privileges\nDescription: An out-of-bounds write issue was addressed with improved\nbounds checking. \nCVE-2021-30780: Tim Michaud(@TimGMichaud) of Zoom Video\nCommunications\n\ndyld\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2\nand later, iPad 5th generation and later, iPad mini 4 and later, and\niPod touch (7th generation)\nImpact: A sandboxed process may be able to circumvent sandbox\nrestrictions\nDescription: A logic issue was addressed with improved validation. \nCVE-2021-30768: Linus Henze (pinauten.de)\n\nFind My\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2\nand later, iPad 5th generation and later, iPad mini 4 and later, and\niPod touch (7th generation)\nImpact: A malicious application may be able to access Find My data\nDescription: A permissions issue was addressed with improved\nvalidation. \nCVE-2021-30804: Csaba Fitzl (@theevilbit) of Offensive Security\n\nFontParser\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2\nand later, iPad 5th generation and later, iPad mini 4 and later, and\niPod touch (7th generation)\nImpact: Processing a maliciously crafted font file may lead to\narbitrary code execution\nDescription: An integer overflow was addressed through improved input\nvalidation. \nCVE-2021-30760: Sunglin of Knownsec 404 team\n\nFontParser\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2\nand later, iPad 5th generation and later, iPad mini 4 and later, and\niPod touch (7th generation)\nImpact: Processing a maliciously crafted tiff file may lead to a\ndenial-of-service or potentially disclose memory contents\nDescription: This issue was addressed with improved checks. \nCVE-2021-30788: tr3e working with Trend Micro Zero Day Initiative\n\nFontParser\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2\nand later, iPad 5th generation and later, iPad mini 4 and later, and\niPod touch (7th generation)\nImpact: Processing a maliciously crafted font file may lead to\narbitrary code execution\nDescription: A stack overflow was addressed with improved input\nvalidation. \nCVE-2021-30759: hjy79425575 working with Trend Micro Zero Day\nInitiative\n\nIdentity Service\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2\nand later, iPad 5th generation and later, iPad mini 4 and later, and\niPod touch (7th generation)\nImpact: A malicious application may be able to bypass code signing\nchecks\nDescription: An issue in code signature validation was addressed with\nimproved checks. \nCVE-2021-30773: Linus Henze (pinauten.de)\n\nImage Processing\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2\nand later, iPad 5th generation and later, iPad mini 4 and later, and\niPod touch (7th generation)\nImpact: Processing maliciously crafted web content may lead to\narbitrary code execution\nDescription: A use after free issue was addressed with improved\nmemory management. \nCVE-2021-30802: Matthew Denton of Google Chrome Security\n\nImageIO\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2\nand later, iPad 5th generation and later, iPad mini 4 and later, and\niPod touch (7th generation)\nImpact: Processing a maliciously crafted image may lead to arbitrary\ncode execution\nDescription: This issue was addressed with improved checks. \nCVE-2021-30779: Jzhu, Ye Zhang(@co0py_Cat) of Baidu Security\n\nImageIO\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2\nand later, iPad 5th generation and later, iPad mini 4 and later, and\niPod touch (7th generation)\nImpact: Processing a maliciously crafted image may lead to arbitrary\ncode execution\nDescription: A buffer overflow was addressed with improved bounds\nchecking. \nCVE-2021-30785: CFF of Topsec Alpha Team, Mickey Jin (@patch1t) of\nTrend Micro\n\nKernel\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2\nand later, iPad 5th generation and later, iPad mini 4 and later, and\niPod touch (7th generation)\nImpact: A malicious attacker with arbitrary read and write capability\nmay be able to bypass Pointer Authentication\nDescription: A logic issue was addressed with improved state\nmanagement. \nCVE-2021-30769: Linus Henze (pinauten.de)\n\nKernel\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2\nand later, iPad 5th generation and later, iPad mini 4 and later, and\niPod touch (7th generation)\nImpact: An attacker that has already achieved kernel code execution\nmay be able to bypass kernel memory mitigations\nDescription: A logic issue was addressed with improved validation. \nCVE-2021-30770: Linus Henze (pinauten.de)\n\nlibxml2\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2\nand later, iPad 5th generation and later, iPad mini 4 and later, and\niPod touch (7th generation)\nImpact: A remote attacker may be able to cause arbitrary code\nexecution\nDescription: This issue was addressed with improved checks. \nCVE-2021-3518\n\nMeasure\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2\nand later, iPad 5th generation and later, iPad mini 4 and later, and\niPod touch (7th generation)\nImpact: Multiple issues in libwebp\nDescription: Multiple issues were addressed by updating to version\n1.2.0. \nCVE-2018-25010\nCVE-2018-25011\nCVE-2018-25014\nCVE-2020-36328\nCVE-2020-36329\nCVE-2020-36330\nCVE-2020-36331\n\nModel I/O\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2\nand later, iPad 5th generation and later, iPad mini 4 and later, and\niPod touch (7th generation)\nImpact: Processing a maliciously crafted image may lead to a denial\nof service\nDescription: A logic issue was addressed with improved validation. \nCVE-2021-30796: Mickey Jin (@patch1t) of Trend Micro\n\nModel I/O\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2\nand later, iPad 5th generation and later, iPad mini 4 and later, and\niPod touch (7th generation)\nImpact: Processing a maliciously crafted image may lead to arbitrary\ncode execution\nDescription: An out-of-bounds write was addressed with improved input\nvalidation. \nCVE-2021-30792: Anonymous working with Trend Micro Zero Day\nInitiative\n\nModel I/O\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2\nand later, iPad 5th generation and later, iPad mini 4 and later, and\niPod touch (7th generation)\nImpact: Processing a maliciously crafted file may disclose user\ninformation\nDescription: An out-of-bounds read was addressed with improved bounds\nchecking. \nCVE-2021-30791: Anonymous working with Trend Micro Zero Day\nInitiative\n\nTCC\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2\nand later, iPad 5th generation and later, iPad mini 4 and later, and\niPod touch (7th generation)\nImpact: A malicious application may be able to bypass certain Privacy\npreferences\nDescription: A logic issue was addressed with improved state\nmanagement. \nCVE-2021-30798: Mickey Jin (@patch1t) of Trend Micro\n\nWebKit\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2\nand later, iPad 5th generation and later, iPad mini 4 and later, and\niPod touch (7th generation)\nImpact: Processing maliciously crafted web content may lead to\narbitrary code execution\nDescription: A type confusion issue was addressed with improved state\nhandling. \nCVE-2021-30758: Christoph Guttandin of Media Codings\n\nWebKit\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2\nand later, iPad 5th generation and later, iPad mini 4 and later, and\niPod touch (7th generation)\nImpact: Processing maliciously crafted web content may lead to\narbitrary code execution\nDescription: A use after free issue was addressed with improved\nmemory management. \nCVE-2021-30795: Sergei Glazunov of Google Project Zero\n\nWebKit\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2\nand later, iPad 5th generation and later, iPad mini 4 and later, and\niPod touch (7th generation)\nImpact: Processing maliciously crafted web content may lead to code\nexecution\nDescription: This issue was addressed with improved checks. \nCVE-2021-30797: Ivan Fratric of Google Project Zero\n\nWebKit\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2\nand later, iPad 5th generation and later, iPad mini 4 and later, and\niPod touch (7th generation)\nImpact: Processing maliciously crafted web content may lead to\narbitrary code execution\nDescription: Multiple memory corruption issues were addressed with\nimproved memory handling. \nCVE-2021-30799: Sergei Glazunov of Google Project Zero\n\nWi-Fi\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2\nand later, iPad 5th generation and later, iPad mini 4 and later, and\niPod touch (7th generation)\nImpact: Joining a malicious Wi-Fi network may result in a denial of\nservice or arbitrary code execution\nDescription: This issue was addressed with improved checks. \nCVE-2021-30800: vm_call, Nozhdar Abdulkhaleq Shukri\n\nAdditional recognition\n\nAssets\nWe would like to acknowledge Cees Elzinga for their assistance. \n\nCoreText\nWe would like to acknowledge Mickey Jin (@patch1t) of Trend Micro for\ntheir assistance. \n\nSafari\nWe would like to acknowledge an anonymous researcher for their\nassistance. \n\nSandbox\nWe would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive\nSecurity for their assistance. \n\nInstallation note:\n\nThis update is available through iTunes and Software Update on your\niOS device, and will not appear in your computer\u0027s Software Update\napplication, or in the Apple Downloads site. Make sure you have an\nInternet connection and have installed the latest version of iTunes\nfrom https://www.apple.com/itunes/\n\niTunes and Software Update on the device will automatically check\nApple\u0027s update server on its weekly schedule. When an update is\ndetected, it is downloaded and the option to be installed is\npresented to the user when the iOS device is docked. We recommend\napplying the update immediately if possible. Selecting Don\u0027t Install\nwill present the option the next time you connect your iOS device. \nThe automatic update process may take up to a week depending on the\nday that iTunes or the device checks for updates. You may manually\nobtain the update via the Check for Updates button within iTunes, or\nthe Software Update on your device. \n\nTo check that the iPhone, iPod touch, or iPad has been updated:\n* Navigate to Settings\n* Select General\n* Select About\n* The version after applying this update will be \"14.7\"\n\nInformation will also be posted to the Apple Security Updates\nweb site: https://support.apple.com/kb/HT201222\n\nThis message is signed with Apple\u0027s Product Security PGP key,\nand details are available at:\nhttps://www.apple.com/support/security/pgp/\n\n-----BEGIN PGP SIGNATURE-----\n\niQIzBAEBCAAdFiEEbURczHs1TP07VIfuZcsbuWJ6jjAFAmD4r8YACgkQZcsbuWJ6\njjB5LBAAkEy25fNpo8rg42bsyJwWsSQQxPN79JFxQ6L8tqdsM+MZk86dUKtsRQ47\nmxarMf4uBwiIOtrGSCGHLIxXAzLqPY47NDhO+ls0dVxGMETkoR/287AeLnw2ITh3\nDM0H/pco4hRhPh8neYTMjNPMAgkepx+r7IqbaHWapn42nRC4/2VkEtVGltVDLs3L\nK0UQP0cjy2w9KvRF33H3uKNCaCTJrVkDBLKWC7rPPpomwp3bfmbQHjs0ixV5Y8l5\n3MfNmCuhIt34zAjVELvbE/PUXgkmsECbXHNZOct7ZLAbceneVKtSmynDtoEN0ajM\nJiJ6j+FCtdfB3xHk3cHqB6sQZm7fDxdK3z91MZvSZwwmdhJeHD/TxcItRlHNOYA1\nFSi0Q954DpIqz3Fs4DGE7Vwz0g5+o5qup8cnw9oLXBdqZwWANuLsQlHlioPbcDhl\nr1DmwtghmDYFUeSMnzHu/iuRepEju+BRMS3ybCm5j+I3kyvAV8pyvqNNRLfJn+w+\nWl/lwXTtXbgsNPR7WJCBJffxB0gOGZaIG1blSGCY89t2if0vD95R5sRsrnaxuqWc\nqmtRdBfbmjxk/G+6t1sd4wFglTNovHiLIHXh17cwdIWMB35yFs7VA35833/rF4Oo\njOF1D12o58uAewxAsK+cTixe7I9U5Awkad2Jz19V3qHnRWGqtVg\\x8e1h\n-----END PGP SIGNATURE-----\n\n\n. Description:\n\nRed Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments. \n\nAll OpenShift Container Platform 4.6 users are advised to upgrade to these\nupdated packages and images when they are available in the appropriate\nrelease channel. To check for available updates, use the OpenShift Console\nor the CLI oc command. Instructions for upgrading a cluster are available\nat\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster\n- -between-minor.html#understanding-upgrade-channels_updating-cluster-between\n- -minor\n\n3. Solution:\n\nFor OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel\nease-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster\n- -cli.html\n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n1813344 - CVE-2020-7598 nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload\n1979134 - Placeholder bug for OCP 4.6.0 extras release\n\n5. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n=====================================================================\n                   Red Hat Security Advisory\n\nSynopsis:          Important: libwebp security update\nAdvisory ID:       RHSA-2021:2260-01\nProduct:           Red Hat Enterprise Linux\nAdvisory URL:      https://access.redhat.com/errata/RHSA-2021:2260\nIssue date:        2021-06-07\nCVE Names:         CVE-2018-25011 CVE-2020-36328 CVE-2020-36329 \n=====================================================================\n\n1. Summary:\n\nAn update for libwebp is now available for Red Hat Enterprise Linux 7. \n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux Client (v. 7) - x86_64\nRed Hat Enterprise Linux Client Optional (v. 7) - x86_64\nRed Hat Enterprise Linux ComputeNode (v. 7) - x86_64\nRed Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64\nRed Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64\nRed Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64\nRed Hat Enterprise Linux Workstation (v. 7) - x86_64\nRed Hat Enterprise Linux Workstation Optional (v. 7) - x86_64\n\n3. Description:\n\nThe libwebp packages provide a library and tools for the WebP graphics\nformat. WebP is an image format with a lossy compression of digital\nphotographic images. WebP consists of a codec based on the VP8 format, and\na container based on the Resource Interchange File Format (RIFF). \nWebmasters, web developers and browser developers can use WebP to compress,\narchive, and distribute digital images more efficiently. \n\nSecurity Fix(es):\n\n* libwebp: heap-based buffer overflow in PutLE16() (CVE-2018-25011)\n\n* libwebp: heap-based buffer overflow in WebPDecode*Into functions\n(CVE-2020-36328)\n\n* libwebp: use-after-free in EmitFancyRGB() in dec/io_dec.c\n(CVE-2020-36329)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n1956829 - CVE-2020-36328 libwebp: heap-based buffer overflow in WebPDecode*Into functions\n1956843 - CVE-2020-36329 libwebp: use-after-free in EmitFancyRGB() in dec/io_dec.c\n1956919 - CVE-2018-25011 libwebp: heap-based buffer overflow in PutLE16()\n\n6. Package List:\n\nRed Hat Enterprise Linux Client (v. 7):\n\nSource:\nlibwebp-0.3.0-10.el7_9.src.rpm\n\nx86_64:\nlibwebp-0.3.0-10.el7_9.i686.rpm\nlibwebp-0.3.0-10.el7_9.x86_64.rpm\nlibwebp-debuginfo-0.3.0-10.el7_9.i686.rpm\nlibwebp-debuginfo-0.3.0-10.el7_9.x86_64.rpm\n\nRed Hat Enterprise Linux Client Optional (v. 7):\n\nx86_64:\nlibwebp-debuginfo-0.3.0-10.el7_9.i686.rpm\nlibwebp-debuginfo-0.3.0-10.el7_9.x86_64.rpm\nlibwebp-devel-0.3.0-10.el7_9.i686.rpm\nlibwebp-devel-0.3.0-10.el7_9.x86_64.rpm\nlibwebp-java-0.3.0-10.el7_9.x86_64.rpm\nlibwebp-tools-0.3.0-10.el7_9.x86_64.rpm\n\nRed Hat Enterprise Linux ComputeNode (v. 7):\n\nSource:\nlibwebp-0.3.0-10.el7_9.src.rpm\n\nx86_64:\nlibwebp-0.3.0-10.el7_9.i686.rpm\nlibwebp-0.3.0-10.el7_9.x86_64.rpm\nlibwebp-debuginfo-0.3.0-10.el7_9.i686.rpm\nlibwebp-debuginfo-0.3.0-10.el7_9.x86_64.rpm\n\nRed Hat Enterprise Linux ComputeNode Optional (v. 7):\n\nx86_64:\nlibwebp-debuginfo-0.3.0-10.el7_9.i686.rpm\nlibwebp-debuginfo-0.3.0-10.el7_9.x86_64.rpm\nlibwebp-devel-0.3.0-10.el7_9.i686.rpm\nlibwebp-devel-0.3.0-10.el7_9.x86_64.rpm\nlibwebp-java-0.3.0-10.el7_9.x86_64.rpm\nlibwebp-tools-0.3.0-10.el7_9.x86_64.rpm\n\nRed Hat Enterprise Linux Server (v. 7):\n\nSource:\nlibwebp-0.3.0-10.el7_9.src.rpm\n\nppc64:\nlibwebp-0.3.0-10.el7_9.ppc.rpm\nlibwebp-0.3.0-10.el7_9.ppc64.rpm\nlibwebp-debuginfo-0.3.0-10.el7_9.ppc.rpm\nlibwebp-debuginfo-0.3.0-10.el7_9.ppc64.rpm\n\nppc64le:\nlibwebp-0.3.0-10.el7_9.ppc64le.rpm\nlibwebp-debuginfo-0.3.0-10.el7_9.ppc64le.rpm\n\ns390x:\nlibwebp-0.3.0-10.el7_9.s390.rpm\nlibwebp-0.3.0-10.el7_9.s390x.rpm\nlibwebp-debuginfo-0.3.0-10.el7_9.s390.rpm\nlibwebp-debuginfo-0.3.0-10.el7_9.s390x.rpm\n\nx86_64:\nlibwebp-0.3.0-10.el7_9.i686.rpm\nlibwebp-0.3.0-10.el7_9.x86_64.rpm\nlibwebp-debuginfo-0.3.0-10.el7_9.i686.rpm\nlibwebp-debuginfo-0.3.0-10.el7_9.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional (v. 7):\n\nppc64:\nlibwebp-debuginfo-0.3.0-10.el7_9.ppc.rpm\nlibwebp-debuginfo-0.3.0-10.el7_9.ppc64.rpm\nlibwebp-devel-0.3.0-10.el7_9.ppc.rpm\nlibwebp-devel-0.3.0-10.el7_9.ppc64.rpm\nlibwebp-java-0.3.0-10.el7_9.ppc64.rpm\nlibwebp-tools-0.3.0-10.el7_9.ppc64.rpm\n\nppc64le:\nlibwebp-debuginfo-0.3.0-10.el7_9.ppc64le.rpm\nlibwebp-devel-0.3.0-10.el7_9.ppc64le.rpm\nlibwebp-java-0.3.0-10.el7_9.ppc64le.rpm\nlibwebp-tools-0.3.0-10.el7_9.ppc64le.rpm\n\ns390x:\nlibwebp-debuginfo-0.3.0-10.el7_9.s390.rpm\nlibwebp-debuginfo-0.3.0-10.el7_9.s390x.rpm\nlibwebp-devel-0.3.0-10.el7_9.s390.rpm\nlibwebp-devel-0.3.0-10.el7_9.s390x.rpm\nlibwebp-java-0.3.0-10.el7_9.s390x.rpm\nlibwebp-tools-0.3.0-10.el7_9.s390x.rpm\n\nx86_64:\nlibwebp-debuginfo-0.3.0-10.el7_9.i686.rpm\nlibwebp-debuginfo-0.3.0-10.el7_9.x86_64.rpm\nlibwebp-devel-0.3.0-10.el7_9.i686.rpm\nlibwebp-devel-0.3.0-10.el7_9.x86_64.rpm\nlibwebp-java-0.3.0-10.el7_9.x86_64.rpm\nlibwebp-tools-0.3.0-10.el7_9.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation (v. 7):\n\nSource:\nlibwebp-0.3.0-10.el7_9.src.rpm\n\nx86_64:\nlibwebp-0.3.0-10.el7_9.i686.rpm\nlibwebp-0.3.0-10.el7_9.x86_64.rpm\nlibwebp-debuginfo-0.3.0-10.el7_9.i686.rpm\nlibwebp-debuginfo-0.3.0-10.el7_9.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation Optional (v. 7):\n\nx86_64:\nlibwebp-debuginfo-0.3.0-10.el7_9.i686.rpm\nlibwebp-debuginfo-0.3.0-10.el7_9.x86_64.rpm\nlibwebp-devel-0.3.0-10.el7_9.i686.rpm\nlibwebp-devel-0.3.0-10.el7_9.x86_64.rpm\nlibwebp-java-0.3.0-10.el7_9.x86_64.rpm\nlibwebp-tools-0.3.0-10.el7_9.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security.  Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2018-25011\nhttps://access.redhat.com/security/cve/CVE-2020-36328\nhttps://access.redhat.com/security/cve/CVE-2020-36329\nhttps://access.redhat.com/security/updates/classification/#important\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2021 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBYL4OxtzjgjWX9erEAQi1Yw//ZajpWKH7bKTBXifw2DXrc61fOReKCwR9\nsQ/djSkMMo+hwhFNtqq9zHDmI81tuOzBRgzA0FzA6qeNZGzsJmNX/RrNgnep9um7\nX08Dvb6+5VuHWBrrBv26wV5wGq/t2VKgGXSoJi6CDDDRlLn/RiAJzuZqhdhp3Ijn\nxBHIDIEYoNTYoDvbvZUVhY1kRKJ2sr3UxjcWPqDCNZdu51Z8ssW5up/Uh3NaY8yv\niB7PIoIHrtBD0nGQcy5h4qE47wFbe9RdLTOaqGDAGaOrHWWT56eC72YnCYKMxO4K\n8X9EXjhEmmH4a4Pl4dND7D1wiiOQe5kSA8IhYdgHVZQyo9WBJTD6g6C5IERwwjat\ns3Z7vhzA+/cLEo8+Jc5orRGoLArU5rOl4uqh64AEPaON9UB8bMOnqm24y+Ebyi0B\nS+zZ2kQ1FGeQIMnrjAer3OUcVnf26e6qNWBK+HCjdfmbhgtZxTtXyOKcM4lSFVcm\nLY8pLMWzZpcSCpYh15YtRRCWr4bJyX1UD8V3l2Zzek9zmFq5ogVX78KBYV3c4oWn\nReVMDEpXb3bYoV/EsMk7WOaDBKM1eU2OjVp2e7r2Fnt8GESxSpZ1pKegkxXdPnmX\nEmPhXKZNnwh4Z4Aw2AYIsQVo9QTyvCnZjfjAy9WfIqbyg8OTGJOeQqQLlKsq6ddb\nYXjUcIgJv2g=\n=kWSg\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://listman.redhat.com/mailman/listinfo/rhsa-announce\n. 8) - aarch64, ppc64le, s390x, x86_64\n\n3. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA512\n\n- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4930-1                   security@debian.org\nhttps://www.debian.org/security/                       Moritz Muehlenhoff\nJune 10, 2021                         https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage        : libwebp\nCVE ID         : CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25013 \n                 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 \n                 CVE-2020-36331 CVE-2020-36332\n\nMultiple vulnerabilities were discovered in libwebp, the implementation\nof the WebP image format, which could result in denial of service, memory\ndisclosure or potentially the execution of arbitrary code if malformed\nimages are processed. \n\nFor the stable distribution (buster), these problems have been fixed in\nversion 0.6.1-2+deb10u1. \n\nWe recommend that you upgrade your libwebp packages",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2020-36329"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-016581"
      },
      {
        "db": "VULHUB",
        "id": "VHN-391908"
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-36329"
      },
      {
        "db": "PACKETSTORM",
        "id": "163645"
      },
      {
        "db": "PACKETSTORM",
        "id": "163504"
      },
      {
        "db": "PACKETSTORM",
        "id": "162998"
      },
      {
        "db": "PACKETSTORM",
        "id": "163029"
      },
      {
        "db": "PACKETSTORM",
        "id": "163058"
      },
      {
        "db": "PACKETSTORM",
        "id": "163061"
      },
      {
        "db": "PACKETSTORM",
        "id": "169076"
      }
    ],
    "trust": 2.43
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2020-36329",
        "trust": 4.1
      },
      {
        "db": "PACKETSTORM",
        "id": "163058",
        "trust": 0.8
      },
      {
        "db": "PACKETSTORM",
        "id": "163504",
        "trust": 0.8
      },
      {
        "db": "PACKETSTORM",
        "id": "162998",
        "trust": 0.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-016581",
        "trust": 0.8
      },
      {
        "db": "PACKETSTORM",
        "id": "163028",
        "trust": 0.7
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202105-1393",
        "trust": 0.7
      },
      {
        "db": "PACKETSTORM",
        "id": "163645",
        "trust": 0.7
      },
      {
        "db": "CS-HELP",
        "id": "SB2021072216",
        "trust": 0.6
      },
      {
        "db": "CS-HELP",
        "id": "SB2021061420",
        "trust": 0.6
      },
      {
        "db": "CS-HELP",
        "id": "SB2021060725",
        "trust": 0.6
      },
      {
        "db": "CS-HELP",
        "id": "SB2021060939",
        "trust": 0.6
      },
      {
        "db": "CS-HELP",
        "id": "SB2021071517",
        "trust": 0.6
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2021.1965",
        "trust": 0.6
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2021.2102",
        "trust": 0.6
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2021.1880",
        "trust": 0.6
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2021.1959",
        "trust": 0.6
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2021.2485.2",
        "trust": 0.6
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2021.2388",
        "trust": 0.6
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2021.2036",
        "trust": 0.6
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2021.2070",
        "trust": 0.6
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2021.1914",
        "trust": 0.6
      },
      {
        "db": "PACKETSTORM",
        "id": "163061",
        "trust": 0.2
      },
      {
        "db": "PACKETSTORM",
        "id": "163029",
        "trust": 0.2
      },
      {
        "db": "VULHUB",
        "id": "VHN-391908",
        "trust": 0.1
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-36329",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "169076",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-391908"
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-36329"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-016581"
      },
      {
        "db": "PACKETSTORM",
        "id": "163645"
      },
      {
        "db": "PACKETSTORM",
        "id": "163504"
      },
      {
        "db": "PACKETSTORM",
        "id": "162998"
      },
      {
        "db": "PACKETSTORM",
        "id": "163029"
      },
      {
        "db": "PACKETSTORM",
        "id": "163058"
      },
      {
        "db": "PACKETSTORM",
        "id": "163061"
      },
      {
        "db": "PACKETSTORM",
        "id": "169076"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202105-1393"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-36329"
      }
    ]
  },
  "id": "VAR-202105-1460",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-391908"
      }
    ],
    "trust": 0.01
  },
  "last_update_date": "2024-07-23T20:44:13.974000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Bug\u00a01956843",
        "trust": 0.8,
        "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00005.html"
      },
      {
        "title": "libwebp Remediation of resource management error vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=151884"
      },
      {
        "title": "Debian Security Advisories: DSA-4930-1 libwebp -- security update",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories\u0026qid=6dad0021173658916444dfc89f8d2495"
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2020-36329"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-016581"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202105-1393"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-416",
        "trust": 1.1
      },
      {
        "problemtype": "Use of freed memory (CWE-416) [NVD Evaluation ]",
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-391908"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-016581"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-36329"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-36329"
      },
      {
        "trust": 1.9,
        "url": "https://www.debian.org/security/2021/dsa-4930"
      },
      {
        "trust": 1.8,
        "url": "https://support.apple.com/kb/ht212601"
      },
      {
        "trust": 1.8,
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1956843"
      },
      {
        "trust": 1.8,
        "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00005.html"
      },
      {
        "trust": 1.8,
        "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00006.html"
      },
      {
        "trust": 1.7,
        "url": "https://security.netapp.com/advisory/ntap-20211112-0001/"
      },
      {
        "trust": 1.7,
        "url": "http://seclists.org/fulldisclosure/2021/jul/54"
      },
      {
        "trust": 0.7,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-36328"
      },
      {
        "trust": 0.7,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-25011"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2021.1959"
      },
      {
        "trust": 0.6,
        "url": "https://packetstormsecurity.com/files/163028/red-hat-security-advisory-2021-2328-01.html"
      },
      {
        "trust": 0.6,
        "url": "https://www.cybersecurity-help.cz/vdb/sb2021060725"
      },
      {
        "trust": 0.6,
        "url": "https://vigilance.fr/vulnerability/libwebp-five-vulnerabilities-35580"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2021.2485.2"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2021.1965"
      },
      {
        "trust": 0.6,
        "url": "https://packetstormsecurity.com/files/163504/red-hat-security-advisory-2021-2643-01.html"
      },
      {
        "trust": 0.6,
        "url": "https://www.cybersecurity-help.cz/vdb/sb2021072216"
      },
      {
        "trust": 0.6,
        "url": "https://packetstormsecurity.com/files/162998/red-hat-security-advisory-2021-2260-01.html"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2021.1914"
      },
      {
        "trust": 0.6,
        "url": "https://packetstormsecurity.com/files/163058/red-hat-security-advisory-2021-2365-01.html"
      },
      {
        "trust": 0.6,
        "url": "https://support.apple.com/en-us/ht212601"
      },
      {
        "trust": 0.6,
        "url": "https://www.cybersecurity-help.cz/vdb/sb2021060939"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2021.1880"
      },
      {
        "trust": 0.6,
        "url": "https://www.cybersecurity-help.cz/vdb/sb2021061420"
      },
      {
        "trust": 0.6,
        "url": "https://www.cybersecurity-help.cz/vdb/sb2021071517"
      },
      {
        "trust": 0.6,
        "url": "https://packetstormsecurity.com/files/163645/apple-security-advisory-2021-07-21-1.html"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2021.2036"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2021.2102"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2021.2388"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2021.2070"
      },
      {
        "trust": 0.5,
        "url": "https://listman.redhat.com/mailman/listinfo/rhsa-announce"
      },
      {
        "trust": 0.5,
        "url": "https://access.redhat.com/security/cve/cve-2020-36329"
      },
      {
        "trust": 0.5,
        "url": "https://access.redhat.com/security/team/contact/"
      },
      {
        "trust": 0.5,
        "url": "https://access.redhat.com/security/cve/cve-2020-36328"
      },
      {
        "trust": 0.5,
        "url": "https://access.redhat.com/security/cve/cve-2018-25011"
      },
      {
        "trust": 0.5,
        "url": "https://bugzilla.redhat.com/):"
      },
      {
        "trust": 0.4,
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "trust": 0.4,
        "url": "https://access.redhat.com/articles/11258"
      },
      {
        "trust": 0.4,
        "url": "https://access.redhat.com/security/team/key/"
      },
      {
        "trust": 0.2,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-36331"
      },
      {
        "trust": 0.2,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-25010"
      },
      {
        "trust": 0.2,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-25014"
      },
      {
        "trust": 0.2,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-36330"
      },
      {
        "trust": 0.1,
        "url": "https://cwe.mitre.org/data/definitions/416.html"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov"
      },
      {
        "trust": 0.1,
        "url": "https://support.apple.com/ht212601."
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-30768"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-30781"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-30788"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-30773"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-30776"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-30780"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-30759"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-30789"
      },
      {
        "trust": 0.1,
        "url": "https://www.apple.com/support/security/pgp/"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-30786"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-30775"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-30748"
      },
      {
        "trust": 0.1,
        "url": "https://www.apple.com/itunes/"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-30779"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-30758"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-30774"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-30763"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-30760"
      },
      {
        "trust": 0.1,
        "url": "https://support.apple.com/kb/ht201222"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-30770"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-30769"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-30785"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2021-3583"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-7598"
      },
      {
        "trust": 0.1,
        "url": "https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2021-3570"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/errata/rhba-2021:2641"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2020-7598"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/errata/rhsa-2021:2643"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3570"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3583"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "trust": 0.1,
        "url": "https://docs.openshift.com/container-platform/4.6/updating/updating-cluster"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/errata/rhsa-2021:2260"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/errata/rhsa-2021:2354"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/errata/rhsa-2021:2365"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/errata/rhsa-2021:2364"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-36332"
      },
      {
        "trust": 0.1,
        "url": "https://www.debian.org/security/faq"
      },
      {
        "trust": 0.1,
        "url": "https://security-tracker.debian.org/tracker/libwebp"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-25013"
      },
      {
        "trust": 0.1,
        "url": "https://www.debian.org/security/"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-25009"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-391908"
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-36329"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-016581"
      },
      {
        "db": "PACKETSTORM",
        "id": "163645"
      },
      {
        "db": "PACKETSTORM",
        "id": "163504"
      },
      {
        "db": "PACKETSTORM",
        "id": "162998"
      },
      {
        "db": "PACKETSTORM",
        "id": "163029"
      },
      {
        "db": "PACKETSTORM",
        "id": "163058"
      },
      {
        "db": "PACKETSTORM",
        "id": "163061"
      },
      {
        "db": "PACKETSTORM",
        "id": "169076"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202105-1393"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-36329"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "VULHUB",
        "id": "VHN-391908"
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-36329"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-016581"
      },
      {
        "db": "PACKETSTORM",
        "id": "163645"
      },
      {
        "db": "PACKETSTORM",
        "id": "163504"
      },
      {
        "db": "PACKETSTORM",
        "id": "162998"
      },
      {
        "db": "PACKETSTORM",
        "id": "163029"
      },
      {
        "db": "PACKETSTORM",
        "id": "163058"
      },
      {
        "db": "PACKETSTORM",
        "id": "163061"
      },
      {
        "db": "PACKETSTORM",
        "id": "169076"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202105-1393"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-36329"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2021-05-21T00:00:00",
        "db": "VULHUB",
        "id": "VHN-391908"
      },
      {
        "date": "2021-05-21T00:00:00",
        "db": "VULMON",
        "id": "CVE-2020-36329"
      },
      {
        "date": "2022-01-27T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2018-016581"
      },
      {
        "date": "2021-07-23T15:29:39",
        "db": "PACKETSTORM",
        "id": "163645"
      },
      {
        "date": "2021-07-14T15:29:37",
        "db": "PACKETSTORM",
        "id": "163504"
      },
      {
        "date": "2021-06-07T13:58:06",
        "db": "PACKETSTORM",
        "id": "162998"
      },
      {
        "date": "2021-06-09T13:22:14",
        "db": "PACKETSTORM",
        "id": "163029"
      },
      {
        "date": "2021-06-10T13:39:19",
        "db": "PACKETSTORM",
        "id": "163058"
      },
      {
        "date": "2021-06-10T13:42:06",
        "db": "PACKETSTORM",
        "id": "163061"
      },
      {
        "date": "2021-06-28T19:12:00",
        "db": "PACKETSTORM",
        "id": "169076"
      },
      {
        "date": "2021-05-21T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202105-1393"
      },
      {
        "date": "2021-05-21T17:15:08.313000",
        "db": "NVD",
        "id": "CVE-2020-36329"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2023-01-09T00:00:00",
        "db": "VULHUB",
        "id": "VHN-391908"
      },
      {
        "date": "2021-07-23T00:00:00",
        "db": "VULMON",
        "id": "CVE-2020-36329"
      },
      {
        "date": "2022-01-27T09:03:00",
        "db": "JVNDB",
        "id": "JVNDB-2018-016581"
      },
      {
        "date": "2022-03-08T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202105-1393"
      },
      {
        "date": "2023-01-09T16:41:59.350000",
        "db": "NVD",
        "id": "CVE-2020-36329"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202105-1393"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "libwebp\u00a0 Vulnerabilities in the use of freed memory",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-016581"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "resource management error",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202105-1393"
      }
    ],
    "trust": 0.6
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.