libBasicUsageEnvironment1-2021.08.23-1.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11023-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libBasicUsageEnvironment1-2021.08.23-1.2 on GA media These are all security issues fixed in the libBasicUsageEnvironment1-2021.08.23-1.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11023 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2018-4013/ SUSE CVE CVE-2018-4013 page https://www.suse.com/security/cve/CVE-2019-15232/ SUSE CVE CVE-2019-15232 page https://www.suse.com/security/cve/CVE-2019-6256/ SUSE CVE CVE-2019-6256 page https://www.suse.com/security/cve/CVE-2019-7314/ SUSE CVE CVE-2019-7314 page https://www.suse.com/security/cve/CVE-2019-9215/ SUSE CVE CVE-2019-9215 page https://www.suse.com/security/cve/CVE-2021-28899/ SUSE CVE CVE-2021-28899 page https://www.suse.com/security/cve/CVE-2021-38380/ SUSE CVE CVE-2021-38380 page https://www.suse.com/security/cve/CVE-2021-38381/ SUSE CVE CVE-2021-38381 page https://www.suse.com/security/cve/CVE-2021-38382/ SUSE CVE CVE-2021-38382 page https://www.suse.com/security/cve/CVE-2021-39282/ SUSE CVE CVE-2021-39282 page https://www.suse.com/security/cve/CVE-2021-39283/ SUSE CVE CVE-2021-39283 page openSUSE Tumbleweed libBasicUsageEnvironment1-2021.08.23-1.2 libUsageEnvironment3-2021.08.23-1.2 libgroupsock30-2021.08.23-1.2 libliveMedia97-2021.08.23-1.2 live555-2021.08.23-1.2 live555-devel-2021.08.23-1.2 libBasicUsageEnvironment1-2021.08.23-1.2 as a component of openSUSE Tumbleweed libUsageEnvironment3-2021.08.23-1.2 as a component of openSUSE Tumbleweed libgroupsock30-2021.08.23-1.2 as a component of openSUSE Tumbleweed libliveMedia97-2021.08.23-1.2 as a component of openSUSE Tumbleweed live555-2021.08.23-1.2 as a component of openSUSE Tumbleweed live555-devel-2021.08.23-1.2 as a component of openSUSE Tumbleweed An exploitable code execution vulnerability exists in the HTTP packet-parsing functionality of the LIVE555 RTSP server library version 0.92. A specially crafted packet can cause a stack-based buffer overflow, resulting in code execution. An attacker can send a packet to trigger this vulnerability. CVE-2018-4013 openSUSE Tumbleweed:libBasicUsageEnvironment1-2021.08.23-1.2 openSUSE Tumbleweed:libUsageEnvironment3-2021.08.23-1.2 openSUSE Tumbleweed:libgroupsock30-2021.08.23-1.2 openSUSE Tumbleweed:libliveMedia97-2021.08.23-1.2 openSUSE Tumbleweed:live555-2021.08.23-1.2 openSUSE Tumbleweed:live555-devel-2021.08.23-1.2 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-4013.html CVE-2018-4013 https://bugzilla.suse.com/1114779 SUSE Bug 1114779 Live555 before 2019.08.16 has a Use-After-Free because GenericMediaServer::createNewClientSessionWithId can generate the same client session ID in succession, which is mishandled by the MPEG1or2 and Matroska file demultiplexors. CVE-2019-15232 openSUSE Tumbleweed:libBasicUsageEnvironment1-2021.08.23-1.2 openSUSE Tumbleweed:libUsageEnvironment3-2021.08.23-1.2 openSUSE Tumbleweed:libgroupsock30-2021.08.23-1.2 openSUSE Tumbleweed:libliveMedia97-2021.08.23-1.2 openSUSE Tumbleweed:live555-2021.08.23-1.2 openSUSE Tumbleweed:live555-devel-2021.08.23-1.2 critical 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-15232.html CVE-2019-15232 https://bugzilla.suse.com/1146283 SUSE Bug 1146283 A Denial of Service issue was discovered in the LIVE555 Streaming Media libraries as used in Live555 Media Server 0.93. It can cause an RTSPServer crash in handleHTTPCmd_TunnelingPOST, when RTSP-over-HTTP tunneling is supported, via x-sessioncookie HTTP headers in a GET request and a POST request within the same TCP session. This occurs because of a call to an incorrect virtual function pointer in the readSocket function in GroupsockHelper.cpp. CVE-2019-6256 openSUSE Tumbleweed:libBasicUsageEnvironment1-2021.08.23-1.2 openSUSE Tumbleweed:libUsageEnvironment3-2021.08.23-1.2 openSUSE Tumbleweed:libgroupsock30-2021.08.23-1.2 openSUSE Tumbleweed:libliveMedia97-2021.08.23-1.2 openSUSE Tumbleweed:live555-2021.08.23-1.2 openSUSE Tumbleweed:live555-devel-2021.08.23-1.2 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-6256.html CVE-2019-6256 https://bugzilla.suse.com/1121892 SUSE Bug 1121892 liblivemedia in Live555 before 2019.02.03 mishandles the termination of an RTSP stream after RTP/RTCP-over-RTSP has been set up, which could lead to a Use-After-Free error that causes the RTSP server to crash (Segmentation fault) or possibly have unspecified other impact. CVE-2019-7314 openSUSE Tumbleweed:libBasicUsageEnvironment1-2021.08.23-1.2 openSUSE Tumbleweed:libUsageEnvironment3-2021.08.23-1.2 openSUSE Tumbleweed:libgroupsock30-2021.08.23-1.2 openSUSE Tumbleweed:libliveMedia97-2021.08.23-1.2 openSUSE Tumbleweed:live555-2021.08.23-1.2 openSUSE Tumbleweed:live555-devel-2021.08.23-1.2 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-7314.html CVE-2019-7314 https://bugzilla.suse.com/1124159 SUSE Bug 1124159 In Live555 before 2019.02.27, malformed headers lead to invalid memory access in the parseAuthorizationHeader function. CVE-2019-9215 openSUSE Tumbleweed:libBasicUsageEnvironment1-2021.08.23-1.2 openSUSE Tumbleweed:libUsageEnvironment3-2021.08.23-1.2 openSUSE Tumbleweed:libgroupsock30-2021.08.23-1.2 openSUSE Tumbleweed:libliveMedia97-2021.08.23-1.2 openSUSE Tumbleweed:live555-2021.08.23-1.2 openSUSE Tumbleweed:live555-devel-2021.08.23-1.2 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-9215.html CVE-2019-9215 https://bugzilla.suse.com/1127341 SUSE Bug 1127341 Vulnerability in the AC3AudioFileServerMediaSubsession, ADTSAudioFileServerMediaSubsession, and AMRAudioFileServerMediaSubsessionLive OnDemandServerMediaSubsession subclasses in Networks LIVE555 Streaming Media before 2021.3.16. CVE-2021-28899 openSUSE Tumbleweed:libBasicUsageEnvironment1-2021.08.23-1.2 openSUSE Tumbleweed:libUsageEnvironment3-2021.08.23-1.2 openSUSE Tumbleweed:libgroupsock30-2021.08.23-1.2 openSUSE Tumbleweed:libliveMedia97-2021.08.23-1.2 openSUSE Tumbleweed:live555-2021.08.23-1.2 openSUSE Tumbleweed:live555-devel-2021.08.23-1.2 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-28899.html CVE-2021-28899 https://bugzilla.suse.com/1185874 SUSE Bug 1185874 Live555 through 1.08 mishandles huge requests for the same MP3 stream, leading to recursion and s stack-based buffer over-read. An attacker can leverage this to launch a DoS attack. CVE-2021-38380 openSUSE Tumbleweed:libBasicUsageEnvironment1-2021.08.23-1.2 openSUSE Tumbleweed:libUsageEnvironment3-2021.08.23-1.2 openSUSE Tumbleweed:libgroupsock30-2021.08.23-1.2 openSUSE Tumbleweed:libliveMedia97-2021.08.23-1.2 openSUSE Tumbleweed:live555-2021.08.23-1.2 openSUSE Tumbleweed:live555-devel-2021.08.23-1.2 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-38380.html CVE-2021-38380 https://bugzilla.suse.com/1189351 SUSE Bug 1189351 Live555 through 1.08 does not handle MPEG-1 or 2 files properly. Sending two successive RTSP SETUP commands for the same track causes a Use-After-Free and daemon crash. CVE-2021-38381 openSUSE Tumbleweed:libBasicUsageEnvironment1-2021.08.23-1.2 openSUSE Tumbleweed:libUsageEnvironment3-2021.08.23-1.2 openSUSE Tumbleweed:libgroupsock30-2021.08.23-1.2 openSUSE Tumbleweed:libliveMedia97-2021.08.23-1.2 openSUSE Tumbleweed:live555-2021.08.23-1.2 openSUSE Tumbleweed:live555-devel-2021.08.23-1.2 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-38381.html CVE-2021-38381 https://bugzilla.suse.com/1189352 SUSE Bug 1189352 Live555 through 1.08 does not handle Matroska and Ogg files properly. Sending two successive RTSP SETUP commands for the same track causes a Use-After-Free and daemon crash. CVE-2021-38382 openSUSE Tumbleweed:libBasicUsageEnvironment1-2021.08.23-1.2 openSUSE Tumbleweed:libUsageEnvironment3-2021.08.23-1.2 openSUSE Tumbleweed:libgroupsock30-2021.08.23-1.2 openSUSE Tumbleweed:libliveMedia97-2021.08.23-1.2 openSUSE Tumbleweed:live555-2021.08.23-1.2 openSUSE Tumbleweed:live555-devel-2021.08.23-1.2 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-38382.html CVE-2021-38382 https://bugzilla.suse.com/1189353 SUSE Bug 1189353 Live555 through 1.08 has a memory leak in AC3AudioStreamParser for AC3 files. CVE-2021-39282 openSUSE Tumbleweed:libBasicUsageEnvironment1-2021.08.23-1.2 openSUSE Tumbleweed:libUsageEnvironment3-2021.08.23-1.2 openSUSE Tumbleweed:libgroupsock30-2021.08.23-1.2 openSUSE Tumbleweed:libliveMedia97-2021.08.23-1.2 openSUSE Tumbleweed:live555-2021.08.23-1.2 openSUSE Tumbleweed:live555-devel-2021.08.23-1.2 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-39282.html CVE-2021-39282 https://bugzilla.suse.com/1189725 SUSE Bug 1189725 liveMedia/FramedSource.cpp in Live555 through 1.08 allows an assertion failure and application exit via multiple SETUP and PLAY commands. CVE-2021-39283 openSUSE Tumbleweed:libBasicUsageEnvironment1-2021.08.23-1.2 openSUSE Tumbleweed:libUsageEnvironment3-2021.08.23-1.2 openSUSE Tumbleweed:libgroupsock30-2021.08.23-1.2 openSUSE Tumbleweed:libliveMedia97-2021.08.23-1.2 openSUSE Tumbleweed:live555-2021.08.23-1.2 openSUSE Tumbleweed:live555-devel-2021.08.23-1.2 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-39283.html CVE-2021-39283 https://bugzilla.suse.com/1189726 SUSE Bug 1189726