Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2023:2078: Red Hat Security Advisory: libwebp security update

An update for libwebp is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2023-1999: The Mozilla Foundation Security Advisory describes this flaw as: A double-free in libwebp could have led to memory corruption and a potentially exploitable crash.
Red Hat Security Data
#vulnerability#web#linux#red_hat#nodejs#js#git#java#kubernetes#aws#ibm

Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat CodeReady Workspaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager

All Products

Issued:

2023-05-02

Updated:

2023-05-02

RHSA-2023:2078 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Important: libwebp security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for libwebp is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The libwebp packages provide a library and tools for the WebP graphics format. WebP is an image format with a lossy compression of digital photographic images. WebP consists of a codec based on the VP8 format, and a container based on the Resource Interchange File Format (RIFF). Webmasters, web developers and browser developers can use WebP to compress, archive, and distribute digital images more efficiently.

Security Fix(es):

  • Mozilla: libwebp: Double-free in libwebp (CVE-2023-1999)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Affected Products

  • Red Hat Enterprise Linux for x86_64 9 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 9 s390x
  • Red Hat Enterprise Linux for Power, little endian 9 ppc64le
  • Red Hat Enterprise Linux for ARM 64 9 aarch64

Fixes

  • BZ - 2186102 - CVE-2023-1999 Mozilla: libwebp: Double-free in libwebp

Red Hat Enterprise Linux for x86_64 9

SRPM

libwebp-1.2.0-6.el9_1.src.rpm

SHA-256: 0ce3fc5058e883906f7851d614e66c338c68f57123d3e6bf8045f9011fc27d2b

x86_64

libwebp-1.2.0-6.el9_1.i686.rpm

SHA-256: 373f5d9abcefbc5458923a771353670a07e0ac0444d3f43cdff545c11c671614

libwebp-1.2.0-6.el9_1.x86_64.rpm

SHA-256: b17f7301988bb6bed5cd22d3d81d5607f3921cda0582a6e80309143c51dea56b

libwebp-debuginfo-1.2.0-6.el9_1.i686.rpm

SHA-256: e52ad23d242f76829ad06104cb6a5e8d41d430694e56014238d15d0efc7f3cd8

libwebp-debuginfo-1.2.0-6.el9_1.x86_64.rpm

SHA-256: 9711ecca444972f945330ffe511a80c3e0808fa2cce53bae4299d6fa15fd6e32

libwebp-debugsource-1.2.0-6.el9_1.i686.rpm

SHA-256: 3eafd6f427b56e9e6dcca5c92f6b034d7b6d28557dd5d558d589d49d2e853911

libwebp-debugsource-1.2.0-6.el9_1.x86_64.rpm

SHA-256: a508e3751d5dae5cc7debede21ebd3e49ae5d47af6a1b97154b7acf1819a5622

libwebp-devel-1.2.0-6.el9_1.i686.rpm

SHA-256: 8f51965a5bbae6b809dac80fdec8e36a3a07f6ee7ae2a81159cbb112fe7bea79

libwebp-devel-1.2.0-6.el9_1.x86_64.rpm

SHA-256: b21f9edc767716616b7e66c615cdf6ac0bb2f980ac0348c98e8a4b1c85b4e259

libwebp-java-debuginfo-1.2.0-6.el9_1.i686.rpm

SHA-256: 0ff17d946264fb51e6e53a3064c19b6dbbf76405b8824d694f2934e8afb68113

libwebp-java-debuginfo-1.2.0-6.el9_1.x86_64.rpm

SHA-256: 866bdbe85a785d59894d792a6736fc56cb2e33b56c7a2b6312712b2bbbc77542

libwebp-tools-debuginfo-1.2.0-6.el9_1.i686.rpm

SHA-256: da0f5a0c25284d1e6625ff874504843986cd3f4253afd61c2b2ab2c752b6f0c3

libwebp-tools-debuginfo-1.2.0-6.el9_1.x86_64.rpm

SHA-256: 029cde0af5b4ad49949a533e03257bc3dc6b9073781447e2eaba7b54c24d470e

Red Hat Enterprise Linux for IBM z Systems 9

SRPM

libwebp-1.2.0-6.el9_1.src.rpm

SHA-256: 0ce3fc5058e883906f7851d614e66c338c68f57123d3e6bf8045f9011fc27d2b

s390x

libwebp-1.2.0-6.el9_1.s390x.rpm

SHA-256: 77a65087783c039a59d5151fc10509a515afdaa97c453ec216c69b7d83dbc1e7

libwebp-debuginfo-1.2.0-6.el9_1.s390x.rpm

SHA-256: 1f67101c16973b9747ff68fec1ed9f93485a998518c39470d9c57abe4f44b257

libwebp-debugsource-1.2.0-6.el9_1.s390x.rpm

SHA-256: fde7b8e05453f0e931019e868a057eaa1abde9ac2983b384e4902cc9a8dd8ba1

libwebp-devel-1.2.0-6.el9_1.s390x.rpm

SHA-256: 4d620f52d918d9aa0ccb606ff34b1c3e08a3952170eb7df68b4e3934bc166797

libwebp-java-debuginfo-1.2.0-6.el9_1.s390x.rpm

SHA-256: aed8eeffe41fa57f2f3043ad1fcb2ea09f9ab4965a03d6bebfa06f526ad06fa3

libwebp-tools-debuginfo-1.2.0-6.el9_1.s390x.rpm

SHA-256: de16ab1dfe9f12b60c046570f8b8daeeed9a239be3d18fb5aa3f50e6d2330ff3

Red Hat Enterprise Linux for Power, little endian 9

SRPM

libwebp-1.2.0-6.el9_1.src.rpm

SHA-256: 0ce3fc5058e883906f7851d614e66c338c68f57123d3e6bf8045f9011fc27d2b

ppc64le

libwebp-1.2.0-6.el9_1.ppc64le.rpm

SHA-256: 7788a3f0799172812ace4cf8c41aeb39c75a0d80f4e709acfb1a368136014b66

libwebp-debuginfo-1.2.0-6.el9_1.ppc64le.rpm

SHA-256: edfc837a0298a7d41281187043b4689a5a2d05c29110276ee33786ae951ac79f

libwebp-debugsource-1.2.0-6.el9_1.ppc64le.rpm

SHA-256: 59f7fb7b54585c66b3220ea03cf7496dd2207c047f211c2071dff55f581b42e7

libwebp-devel-1.2.0-6.el9_1.ppc64le.rpm

SHA-256: b26b482ce567f9d9f9642d5e45c207ba1f036a8c71363dbb67846d60f007100f

libwebp-java-debuginfo-1.2.0-6.el9_1.ppc64le.rpm

SHA-256: 8001888f3b9e4bef15e17228a2478ee3b577ac4913ac892cf5508a43487f4daa

libwebp-tools-debuginfo-1.2.0-6.el9_1.ppc64le.rpm

SHA-256: 1073491ea2cfbfa07daf43b1735debeb8f64f721d800c1c5548e6353820e1eda

Red Hat Enterprise Linux for ARM 64 9

SRPM

libwebp-1.2.0-6.el9_1.src.rpm

SHA-256: 0ce3fc5058e883906f7851d614e66c338c68f57123d3e6bf8045f9011fc27d2b

aarch64

libwebp-1.2.0-6.el9_1.aarch64.rpm

SHA-256: d71c7f79ea2d61d9e1be44dce80f14044234a4562c8818db6601dfa5d8bf5d74

libwebp-debuginfo-1.2.0-6.el9_1.aarch64.rpm

SHA-256: b33f08a049ff83f884408cf884ba18231da1035fc0541812a573bf5e7158ad1c

libwebp-debugsource-1.2.0-6.el9_1.aarch64.rpm

SHA-256: 0d30a3d604a62399c24f549b9eab077376215bb65cd6d15e6ebc6314a72dd20b

libwebp-devel-1.2.0-6.el9_1.aarch64.rpm

SHA-256: 653a4dfa74bf46f0ca106e3fb1dafe0df5bfbe2ef2714d2264d1f4f3a0b4e0a1

libwebp-java-debuginfo-1.2.0-6.el9_1.aarch64.rpm

SHA-256: 824613261acfde9f4d48f3bec32f42f2f59f96a61538d4bc13c98645db3b8182

libwebp-tools-debuginfo-1.2.0-6.el9_1.aarch64.rpm

SHA-256: 148c693dc8ad7c59d627f3b6e82e81d04865d452ec3437ffde7c47ac499cc8b7

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.

Related news

CVE-2023-22062: Oracle Critical Patch Update Advisory - July 2023

Vulnerability in the Oracle Hyperion Financial Reporting product of Oracle Hyperion (component: Repository). The supported version that is affected is 11.2.13.0.000. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hyperion Financial Reporting. While the vulnerability is in Oracle Hyperion Financial Reporting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hyperion Financial Reporting accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hyperion Financial Reporting. CVSS 3.1 Base Score 8.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).

CVE-2023-1999

There exists a use after free/double free in libwebp. An attacker can use the ApplyFiltersAndEncode() function and loop through to free best.bw and assign best = trial pointer. The second loop will then return 0 because of an Out of memory error in VP8 encoder, the pointer is still assigned to trial and the AddressSanitizer will attempt a double free. 

RHSA-2023:3624: Red Hat Security Advisory: Migration Toolkit for Containers (MTC) 1.7.10 security and bug fix update

The Migration Toolkit for Containers (MTC) 1.7.10 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24534: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by memory exhaustion in the common function in HTTP and MIME header parsing. By sending a specially crafted request, a remote attacker can cause a denial of service. * CVE-2023-24536: A flaw was found in Golang Go, where it is vulnerable to a denial of service cause...

Red Hat Security Advisory 2023-3356-01

Red Hat Security Advisory 2023-3356-01 - Red Hat Advanced Cluster Management for Kubernetes 2.5.9 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.

CVE-2023-29550: Security Vulnerabilities fixed in Firefox ESR 102.10

Mozilla developers Randell Jesup, Andrew Osmond, Sebastian Hengst, Andrew McCreight, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 111 and Firefox ESR 102.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android < 112, and Thunderbird < 102.10.

Gentoo Linux Security Advisory 202305-35

Gentoo Linux Security Advisory 202305-35 - Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could result in arbitrary code execution. Versions greater than or equal to 102.10.0:esr are affected.

Debian Security Advisory 5408-1

Debian Linux Security Advisory 5408-1 - Irvan Kurniawan discovered a double free in the libwebp image compression library which may result in denial of service.

Red Hat Security Advisory 2023-2110-01

Red Hat Security Advisory 2023-2110-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.16. Issues addressed include a bypass vulnerability.

Red Hat Security Advisory 2023-2076-01

Red Hat Security Advisory 2023-2076-01 - The libwebp packages provide a library and tools for the WebP graphics format. WebP is an image format with a lossy compression of digital photographic images. WebP consists of a codec based on the VP8 format, and a container based on the Resource Interchange File Format. Webmasters, web developers and browser developers can use WebP to compress, archive, and distribute digital images more efficiently. Issues addressed include a double free vulnerability.

Red Hat Security Advisory 2023-2072-01

Red Hat Security Advisory 2023-2072-01 - The libwebp packages provide a library and tools for the WebP graphics format. WebP is an image format with a lossy compression of digital photographic images. WebP consists of a codec based on the VP8 format, and a container based on the Resource Interchange File Format. Webmasters, web developers and browser developers can use WebP to compress, archive, and distribute digital images more efficiently. Issues addressed include a double free vulnerability.

Red Hat Security Advisory 2023-2077-01

Red Hat Security Advisory 2023-2077-01 - The libwebp packages provide a library and tools for the WebP graphics format. WebP is an image format with a lossy compression of digital photographic images. WebP consists of a codec based on the VP8 format, and a container based on the Resource Interchange File Format. Webmasters, web developers and browser developers can use WebP to compress, archive, and distribute digital images more efficiently. Issues addressed include a double free vulnerability.

Red Hat Security Advisory 2023-2073-01

Red Hat Security Advisory 2023-2073-01 - The libwebp packages provide a library and tools for the WebP graphics format. WebP is an image format with a lossy compression of digital photographic images. WebP consists of a codec based on the VP8 format, and a container based on the Resource Interchange File Format. Webmasters, web developers and browser developers can use WebP to compress, archive, and distribute digital images more efficiently. Issues addressed include a double free vulnerability.

Red Hat Security Advisory 2023-2078-01

Red Hat Security Advisory 2023-2078-01 - The libwebp packages provide a library and tools for the WebP graphics format. WebP is an image format with a lossy compression of digital photographic images. WebP consists of a codec based on the VP8 format, and a container based on the Resource Interchange File Format. Webmasters, web developers and browser developers can use WebP to compress, archive, and distribute digital images more efficiently. Issues addressed include a double free vulnerability.

Red Hat Security Advisory 2023-2075-01

Red Hat Security Advisory 2023-2075-01 - The libwebp packages provide a library and tools for the WebP graphics format. WebP is an image format with a lossy compression of digital photographic images. WebP consists of a codec based on the VP8 format, and a container based on the Resource Interchange File Format. Webmasters, web developers and browser developers can use WebP to compress, archive, and distribute digital images more efficiently. Issues addressed include a double free vulnerability.

RHSA-2023:2085: Red Hat Security Advisory: libwebp security update

An update for libwebp is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-1999: The Mozilla Foundation Security Advisory describes this flaw as: A double-free in libwebp could have led to memory corruption and a potentially exploitable crash.

RHSA-2023:2077: Red Hat Security Advisory: libwebp security update

An update for libwebp is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-1999: The Mozilla Foundation Security Advisory describes this flaw as: A double-free in libwebp could have led to memory corruption and a potentially exploitable crash.

RHSA-2023:2076: Red Hat Security Advisory: libwebp security update

An update for libwebp is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-1999: The Mozilla Foundation Security Advisory describes this flaw as: A double-free in libwebp could have led to memory corruption and a potentially exploitable crash.

RHSA-2023:2075: Red Hat Security Advisory: libwebp security update

An update for libwebp is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-1999: The Mozilla Foundation Security Advisory describes this flaw as: A double-free in libwebp could have led to memory corruption and a potentially exploitable crash.

RHSA-2023:2073: Red Hat Security Advisory: libwebp security update

An update for libwebp is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-1999: The Mozilla Foundation Security Advisory describes this flaw as: A double-free in libwebp could have led to memory corruption and a potentially exploitable crash.

RHSA-2023:2072: Red Hat Security Advisory: libwebp security update

An update for libwebp is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-1999: The Mozilla Foundation Security Advisory describes this flaw as: A double-free in libwebp could have led to memory corruption and a potentially exploitable crash.

Apple, Google, and Microsoft Just Fixed Zero-Day Security Flaws

Firefox gets a needed tune-up, SolarWinds squashes two high-severity bugs, Oracle patches 433 vulnerabilities, and more updates you should make now.