Debian dla-3236 : libopenexr-dev - security update

medium Nessus Plugin ID 168916

Language:

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3236 advisory.

------------------------------------------------------------------------- Debian LTS Advisory DLA-3236-1 [email protected] https://www.debian.org/lts/security/ Markus Koschany December 12, 2022 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : openexr Version : 2.2.1-4.1+deb10u2 CVE ID : CVE-2020-16587 CVE-2020-16588 CVE-2020-16589 CVE-2021-3474 CVE-2021-3475 CVE-2021-3476 CVE-2021-3477 CVE-2021-3478 CVE-2021-3479 CVE-2021-3598 CVE-2021-3605 CVE-2021-3933 CVE-2021-3941 CVE-2021-20296 CVE-2021-20298 CVE-2021-20299 CVE-2021-20300 CVE-2021-20302 CVE-2021-20303 CVE-2021-23215 CVE-2021-26260 CVE-2021-45942 Debian Bug : 986796 992703 990450 990899 1014828

Multiple security vulnerabilities have been found in OpenEXR, command-line tools and a library for the OpenEXR image format. Buffer overflows or out-of-bound reads could lead to a denial of service (application crash) if a malformed image file is processed.

For Debian 10 buster, these problems have been fixed in version 2.2.1-4.1+deb10u2.

We recommend that you upgrade your openexr packages.

For the detailed security status of openexr please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/openexr

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS Attachment:
signature.asc Description: This is a digitally signed message part

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the libopenexr-dev packages.

Plugin Details

Severity: Medium

ID: 168916

File Name: debian_DLA-3236.nasl

Version: 1.2

Type: local

Agent: unix

Family: Debian Local Security Checks

Published: 12/19/2022

Updated: 1/22/2025

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.0

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.5

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P

CVSS Score Source: CVE-2021-20303

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.5

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:libopenexr-dev, cpe:/o:debian:debian_linux:10.0, p-cpe:/a:debian:debian_linux:openexr, p-cpe:/a:debian:debian_linux:libopenexr23, p-cpe:/a:debian:debian_linux:openexr-doc

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/12/2022

Vulnerability Publication Date: 12/9/2020

Reference Information

CVE: CVE-2020-16587, CVE-2020-16588, CVE-2020-16589, CVE-2021-20296, CVE-2021-20298, CVE-2021-20299, CVE-2021-20300, CVE-2021-20302, CVE-2021-20303, CVE-2021-23215, CVE-2021-26260, CVE-2021-3474, CVE-2021-3475, CVE-2021-3476, CVE-2021-3477, CVE-2021-3478, CVE-2021-3479, CVE-2021-3598, CVE-2021-3605, CVE-2021-3933, CVE-2021-3941, CVE-2021-45942

Detections

Analytics

Debian dla-3236 : libopenexr-dev - security update

medium Nessus Plugin ID 168916

Synopsis

Description

Solution

See Also

Plugin Details

Risk Information

VPR

CVSS v2

CVSS v3

Vulnerability Information

Reference Information