BSI WID Advisories FeedAug 29, 2024

#BSI WID-SEC-2024-1945: [NEU] [mittel] #Red #Hat #Enterprise #Linux (#libvpx): Mehrere Schwachstellen ermöglichen Denial of Service

Ein entfernter Angreifer kann mehrere Schwachstellen in Red Hat Enterprise Linux in der Komponente libvpx ausnutzen, um einen Denial of Service Angriff durchzuführen.

https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-1945

Warn- und Informationsdienst

TOVJun 28, 2024

FFmpeg libaom (libaom-av1) is the reference encoder for the AV1 format. It was also used for research during the development of AV1. libaom is based on libvpx and thus shares many of its characteristics in terms of features, performance, and usage.

To install FFmpeg with support for libaom-av1, look at the Compilation Guides and compile FFmpeg with the --enable-libaom option.

https://ffmpeg.org/ffmpeg-codecs.html#libaom_002dav1
https://trac.ffmpeg.org/wiki/CompilationGuide

#ffmpeg #av1 #vp9 #libaom #libvpx #AOMedia

FFmpeg Codecs Documentation

KrebsOnSecurity RSSOct 11, 2023

Patch Tuesday, October 2023 Edition

https://krebsonsecurity.com/2023/10/patch-tuesday-october-2023-edition/

#PatchTuesdayOctober2023 #RapidResetAttack #SkypeforBusiness #CVE-2023-35349 #CVE-2023-36563 #CVE-2023-36778 #CVE-2023-41763 #CVE-2023-44487 #DamianMenscher #SecurityTools #ImmersiveLabs #iPadOS17.0.3 #NatalieSilva #TimetoPatch #AdamBarnett #CloudFlare #iOS17.0.3 #microsoft #windows #Wordpad #Amazon #google #libvpx #Rapid7 #apple

Patch Tuesday, October 2023 Edition – Krebs on Security

dispatchOct 10, 2023
Patch Tuesday, October 2023 Edition https://krebsonsecurity.com/2023/10/patch-tuesday-october-2023-edition/ #PatchTuesdayOctober2023 #RapidResetAttack #SkypeforBusiness #CVE-2023-35349 #CVE-2023-36563 #CVE-2023-36778 #CVE-2023-41763 #CVE-2023-44487 #DamianMenscher #SecurityTools #ImmersiveLabs #iPadOS17.0.3 #NatalieSilva #TimetoPatch #AdamBarnett #CloudFlare #iOS17.0.3 #microsoft #windows #Wordpad #Amazon #google #libvpx #Rapid7 #apple
Patch Tuesday, October 2023 Edition – Krebs on Security

deltatux Oct 4, 2023
Apple releases iOS/iPad OS 17.0.3 as an emergency update to resolve an actively exploited zero day caused by a kernel vulnerability. If successful, a malicious actor can perform local privilege escalation as part of an attack chain.

Apple also notes that they have resolved CVE-2023-5217 by updating the libvpx to 1.13.1 in iOS/iPad OS 17.0.3

This marks the 17th zero day that Apple has addressed so far this year.

https://www.bleepingcomputer.com/news/apple/apple-emergency-update-fixes-new-zero-day-used-to-hack-iphones/

#infosec #cybersecurity #Apple #ios #ipados #kernel #vulnerability #CVE_2023_42824 #CVE_2023_5217 #libvpx #zeroday
Apple emergency update fixes new zero-day used to hack iPhones

Apple released emergency security updates to patch a new zero-day security flaw exploited in attacks targeting iPhone and iPad users.

BleepingComputer
Jon GreigOct 3, 2023

CISA warned that a vulnerability affecting open source tool libvpx is being exploited

Incident responders and experts at several companies said the WS_FTP Server vulnerabilities are being exploited as well

#libvpx #WSFTP

https://therecord.media/libvpx-ws-ftp-vulnerabilities-browsers-file-transfer-tool

Hackers seen exploiting bugs in browsers and popular file transfer tool

One flaw is in open source code known as "libvpx," which is involved with handling media such as images. The other issue is with software known as WS_FTP.

Topher 🌱🐧💚Oct 2, 2023

Just saw patched #libvpx packages hit #Ubuntu repositories

#libvpx6 on Focal (1.8.2-1ubuntu0.2)

#libvpx7 on Jammy (1.11.0-2ubuntu2.2), Lunar (1.12.0-1ubuntu1.2)

Nothing yet on the packaged Firefox in Focal repository

https://ubuntu.com/security/CVE-2023-5217

cc @viking

CVE-2023-5217 | Ubuntu

Ubuntu is an open source software operating system that runs from the desktop, to the cloud, to all your internet connected things.

Ubuntu
Topher 🌱🐧💚Sep 30, 2023

Looks like an updated #libvpx package is now in #Debian repositories for stable (Bookworm) and oldstable (Bullseye)!

Updated #Chromium packages are available as well;

however, Debian builds of #Firefox ESR are still at 118.0 so be cautious, noting as I mentioned here that the package that showed up yesterday was in fact for a new upstream build already underway before the security patch and is for 115.3.0 - NOT 115.3.1 that includes the patch for CVE-2023-5217

https://mastodon.online/@topher/111144418044781039

Topher 🌱🐧💚 (@[email protected])

Important note to #Debian users that the #Firefox ESR package arriving in repositories now is actually firefox-esr 115.3.0 - NOT 115.3.1 https://tracker.debian.org/news/1466906/accepted-firefox-esr-11530esr-1deb11u1-source-into-oldstable-security/ which was released to fix CVE-2023-5217: Heap buffer overflow in libvpx https://www.mozilla.org/en-US/security/advisories/mfsa2023-44/ Just a quick PSA You will NOT be patched yet for CVE-2023-5217 from the updated repository package that just arrived #libvpx #cve20235217

Mastodon
Gonçalo ValérioSep 29, 2023

New 0-day, this time on "libvpx". Affects Chrome, Firefox and many more apps.

https://arstechnica.com/security/2023/09/new-0-day-in-chrome-and-firefox-is-likely-to-plague-other-software/

#security #chrome #firefox #libvpx

A new Chrome 0-day is sending the Internet into a new chapter of Groundhog Day

If your software package involves VP8 video encoding, it's likely vulnerable to attack.

Ars Technica
Michal  Sep 29, 2023

Woohoo, another day, another #0day like the #libwebp one, this time in #libvpx: https://arstechnica.com/security/2023/09/new-0-day-in-chrome-and-firefox-is-likely-to-plague-other-software/

Let the purge / patch crunch begin!

A new Chrome 0-day is sending the Internet into a new chapter of Groundhog Day

If your software package involves VP8 video encoding, it's likely vulnerable to attack.

Ars Technica