ID DEBIAN:DLA-1791-1:B91E6 Type debian Reporter Debian Modified 2019-05-19T13:47:28
Description
Package : faad2
Version : 2.7-8+deb8u2
CVE ID : CVE-2018-20194 CVE-2018-20197 CVE-2018-20198 CVE-2018-20362
Multiple vulnerabilities have been found in faad2, the Freeware Advanced Audio
Coder:
CVE-2018-20194
CVE-2018-20197
Improper handling of implicit channel mapping reconfiguration leads to
multiple heap based buffer overflow issues. These flaws might be leveraged
by remote attackers to cause DoS.
CVE-2018-20198
CVE-2018-20362
Insufficient user input validation in the sbr_hfadj module leads to
stack-based buffer underflow issues. These flaws might be leveraged by
remote attackers to cause DoS or any other unspecified impact.
For Debian 8 "Jessie", these problems have been fixed in version
2.7-8+deb8u2.
We recommend that you upgrade your faad2 packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
{"id": "DEBIAN:DLA-1791-1:B91E6", "bulletinFamily": "unix", "title": "[SECURITY] [DLA 1791-1] faad2 security update", "description": "Package : faad2\nVersion : 2.7-8+deb8u2\nCVE ID : CVE-2018-20194 CVE-2018-20197 CVE-2018-20198 CVE-2018-20362\n\nMultiple vulnerabilities have been found in faad2, the Freeware Advanced Audio\nCoder:\n\nCVE-2018-20194\nCVE-2018-20197\n\n Improper handling of implicit channel mapping reconfiguration leads to\n multiple heap based buffer overflow issues. These flaws might be leveraged\n by remote attackers to cause DoS.\n\nCVE-2018-20198\nCVE-2018-20362\n\n Insufficient user input validation in the sbr_hfadj module leads to\n stack-based buffer underflow issues. These flaws might be leveraged by\n remote attackers to cause DoS or any other unspecified impact.\n\nFor Debian 8 "Jessie", these problems have been fixed in version\n2.7-8+deb8u2.\n\nWe recommend that you upgrade your faad2 packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "published": "2019-05-19T13:47:28", "modified": "2019-05-19T13:47:28", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "href": "https://lists.debian.org/debian-lts-announce/2019/debian-lts-announce-201905/msg00022.html", "reporter": "Debian", "references": [], "cvelist": ["CVE-2018-20194", "CVE-2018-20197", "CVE-2018-20198", "CVE-2018-20362"], "type": "debian", "lastseen": "2020-08-12T00:52:09", "edition": 10, "viewCount": 84, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-20197", "CVE-2018-20198", "CVE-2018-20194", "CVE-2018-20362"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891791", "OPENVAS:1361412562310704522"]}, {"type": "nessus", "idList": ["GENTOO_GLSA-202006-17.NASL", "DEBIAN_DSA-4522.NASL", "DEBIAN_DLA-1791.NASL"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4522-1:BED85"]}, {"type": "gentoo", "idList": ["GLSA-202006-17"]}], "modified": "2020-08-12T00:52:09", "rev": 2}, "score": {"value": 6.6, "vector": "NONE", "modified": "2020-08-12T00:52:09", "rev": 2}, "vulnersScore": 6.6}, "affectedPackage": [{"OS": "Debian", "OSVersion": "8", "arch": "all", "operator": "lt", "packageFilename": "faad_2.7-8+deb8u2_all.deb", "packageName": "faad", "packageVersion": "2.7-8+deb8u2"}, {"OS": "Debian", "OSVersion": "8", "arch": "all", "operator": "lt", "packageFilename": "libfaad-dev_2.7-8+deb8u2_all.deb", "packageName": "libfaad-dev", "packageVersion": "2.7-8+deb8u2"}, {"OS": "Debian", "OSVersion": "8", "arch": "all", "operator": "lt", "packageFilename": "faad2_2.7-8+deb8u2_all.deb", "packageName": "faad2", "packageVersion": "2.7-8+deb8u2"}, {"OS": "Debian", "OSVersion": "8", "arch": "all", "operator": "lt", "packageFilename": "libfaad2_2.7-8+deb8u2_all.deb", "packageName": "libfaad2", "packageVersion": "2.7-8+deb8u2"}, {"OS": "Debian", "OSVersion": "8", "arch": "all", "operator": "lt", "packageFilename": "faad2-dbg_2.7-8+deb8u2_all.deb", "packageName": "faad2-dbg", "packageVersion": "2.7-8+deb8u2"}], "scheme": null}
{"openvas": [{"lastseen": "2020-01-29T19:29:43", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-20194", "CVE-2018-20197", "CVE-2018-20198", "CVE-2018-20362"], "description": "The remote host is missing an update for the ", "modified": "2020-01-29T00:00:00", "published": "2019-05-19T00:00:00", "id": "OPENVAS:1361412562310891791", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891791", "type": "openvas", "title": "Debian LTS: Security Advisory for faad2 (DLA-1791-1)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891791\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2018-20194\", \"CVE-2018-20197\", \"CVE-2018-20198\", \"CVE-2018-20362\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-05-19 02:00:08 +0000 (Sun, 19 May 2019)\");\n script_name(\"Debian LTS: Security Advisory for faad2 (DLA-1791-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2019/05/msg00022.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-1791-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'faad2'\n package(s) announced via the DLA-1791-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple vulnerabilities have been found in faad2, the Freeware Advanced Audio\nCoder:\n\nCVE-2018-20194\nCVE-2018-20197\n\n Improper handling of implicit channel mapping reconfiguration leads to\n multiple heap based buffer overflow issues. These flaws might be leveraged\n by remote attackers to cause DoS.\n\nCVE-2018-20198\nCVE-2018-20362\n\n Insufficient user input validation in the sbr_hfadj module leads to\n stack-based buffer underflow issues. These flaws might be leveraged by\n remote attackers to cause DoS or any other unspecified impact.\");\n\n script_tag(name:\"affected\", value:\"'faad2' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', this problem has been fixed in version\n2.7-8+deb8u2.\n\nWe recommend that you upgrade your faad2 packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"faad\", ver:\"2.7-8+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"faad2-dbg\", ver:\"2.7-8+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libfaad-dev\", ver:\"2.7-8+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libfaad2\", ver:\"2.7-8+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-09-17T00:39:19", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-20194", "CVE-2018-19504", "CVE-2019-15296", "CVE-2018-20195", "CVE-2018-20357", "CVE-2018-19502", "CVE-2018-20361", "CVE-2018-20197", "CVE-2018-20359", "CVE-2018-19503", "CVE-2018-20198", "CVE-2018-20358", "CVE-2018-20362"], "description": "The remote host is missing an update for the ", "modified": "2019-09-16T00:00:00", "published": "2019-09-16T00:00:00", "id": "OPENVAS:1361412562310704522", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704522", "type": "openvas", "title": "Debian Security Advisory DSA 4522-1 (faad2 - security update)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704522\");\n script_version(\"2019-09-16T02:00:15+0000\");\n script_cve_id(\"CVE-2018-19502\", \"CVE-2018-19503\", \"CVE-2018-19504\", \"CVE-2018-20194\", \"CVE-2018-20195\", \"CVE-2018-20197\", \"CVE-2018-20198\", \"CVE-2018-20357\", \"CVE-2018-20358\", \"CVE-2018-20359\", \"CVE-2018-20361\", \"CVE-2018-20362\", \"CVE-2019-15296\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-09-16 02:00:15 +0000 (Mon, 16 Sep 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-09-16 02:00:15 +0000 (Mon, 16 Sep 2019)\");\n script_name(\"Debian Security Advisory DSA 4522-1 (faad2 - security update)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB9\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2019/dsa-4522.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DSA-4522-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'faad2'\n package(s) announced via the DSA-4522-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple vulnerabilities have been discovered in faad2, the Freeware Advanced\nAudio Coder. These vulnerabilities might allow remote attackers to cause\ndenial-of-service, or potentially execute arbitrary code if crafted MPEG AAC\nfiles are processed.\");\n\n script_tag(name:\"affected\", value:\"'faad2' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For the oldstable distribution (stretch), these problems have been fixed\nin version 2.8.0~cvs20161113-1+deb9u2.\n\nWe recommend that you upgrade your faad2 packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"faad\", ver:\"2.8.0~cvs20161113-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"faad2-dbg\", ver:\"2.8.0~cvs20161113-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libfaad-dev\", ver:\"2.8.0~cvs20161113-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libfaad2\", ver:\"2.8.0~cvs20161113-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-01-12T09:40:44", "description": "Multiple vulnerabilities have been found in faad2, the Freeware\nAdvanced Audio Coder :\n\nCVE-2018-20194 CVE-2018-20197\n\nImproper handling of implicit channel mapping reconfiguration leads to\nmultiple heap based buffer overflow issues. These flaws might be\nleveraged by remote attackers to cause DoS.\n\nCVE-2018-20198 CVE-2018-20362\n\nInsufficient user input validation in the sbr_hfadj module leads to\nstack-based buffer underflow issues. These flaws might be leveraged by\nremote attackers to cause DoS or any other unspecified impact.\n\nFor Debian 8 'Jessie', these problems have been fixed in version\n2.7-8+deb8u2.\n\nWe recommend that you upgrade your faad2 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 16, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-05-20T00:00:00", "title": "Debian DLA-1791-1 : faad2 security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-20194", "CVE-2018-20197", "CVE-2018-20198", "CVE-2018-20362"], "modified": "2019-05-20T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:faad2-dbg", "cpe:/o:debian:debian_linux:8.0", "p-cpe:/a:debian:debian_linux:libfaad-dev", "p-cpe:/a:debian:debian_linux:faad", "p-cpe:/a:debian:debian_linux:libfaad2"], "id": "DEBIAN_DLA-1791.NASL", "href": "https://www.tenable.com/plugins/nessus/125267", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1791-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(125267);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2018-20194\", \"CVE-2018-20197\", \"CVE-2018-20198\", \"CVE-2018-20362\");\n\n script_name(english:\"Debian DLA-1791-1 : faad2 security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple vulnerabilities have been found in faad2, the Freeware\nAdvanced Audio Coder :\n\nCVE-2018-20194 CVE-2018-20197\n\nImproper handling of implicit channel mapping reconfiguration leads to\nmultiple heap based buffer overflow issues. These flaws might be\nleveraged by remote attackers to cause DoS.\n\nCVE-2018-20198 CVE-2018-20362\n\nInsufficient user input validation in the sbr_hfadj module leads to\nstack-based buffer underflow issues. These flaws might be leveraged by\nremote attackers to cause DoS or any other unspecified impact.\n\nFor Debian 8 'Jessie', these problems have been fixed in version\n2.7-8+deb8u2.\n\nWe recommend that you upgrade your faad2 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2019/05/msg00022.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/faad2\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:faad\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:faad2-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libfaad-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libfaad2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/12/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/20\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"faad\", reference:\"2.7-8+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"faad2-dbg\", reference:\"2.7-8+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libfaad-dev\", reference:\"2.7-8+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libfaad2\", reference:\"2.7-8+deb8u2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T01:51:44", "description": "Multiple vulnerabilities have been discovered in faad2, the Freeware\nAdvanced Audio Coder. These vulnerabilities might allow remote\nattackers to cause denial-of-service, or potentially execute arbitrary\ncode if crafted MPEG AAC files are processed.", "edition": 17, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-09-16T00:00:00", "title": "Debian DSA-4522-1 : faad2 - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-20194", "CVE-2018-19504", "CVE-2019-15296", "CVE-2018-20195", "CVE-2018-20357", "CVE-2018-19502", "CVE-2018-20361", "CVE-2018-20197", "CVE-2018-20359", "CVE-2018-19503", "CVE-2018-20198", "CVE-2018-20358", "CVE-2018-20362"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:faad2", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DSA-4522.NASL", "href": "https://www.tenable.com/plugins/nessus/128782", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4522. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(128782);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/12/27\");\n\n script_cve_id(\"CVE-2018-19502\", \"CVE-2018-19503\", \"CVE-2018-19504\", \"CVE-2018-20194\", \"CVE-2018-20195\", \"CVE-2018-20197\", \"CVE-2018-20198\", \"CVE-2018-20357\", \"CVE-2018-20358\", \"CVE-2018-20359\", \"CVE-2018-20361\", \"CVE-2018-20362\", \"CVE-2019-15296\");\n script_xref(name:\"DSA\", value:\"4522\");\n\n script_name(english:\"Debian DSA-4522-1 : faad2 - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple vulnerabilities have been discovered in faad2, the Freeware\nAdvanced Audio Coder. These vulnerabilities might allow remote\nattackers to cause denial-of-service, or potentially execute arbitrary\ncode if crafted MPEG AAC files are processed.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914641\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/faad2\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/faad2\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2019/dsa-4522\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the faad2 packages.\n\nFor the oldstable distribution (stretch), these problems have been\nfixed in version 2.8.0~cvs20161113-1+deb9u2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:faad2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/11/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/09/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/09/16\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"faad\", reference:\"2.8.0~cvs20161113-1+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"faad2-dbg\", reference:\"2.8.0~cvs20161113-1+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libfaad-dev\", reference:\"2.8.0~cvs20161113-1+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libfaad2\", reference:\"2.8.0~cvs20161113-1+deb9u2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-24T10:37:27", "description": "The remote host is affected by the vulnerability described in GLSA-202006-17\n(FAAD2: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in FAAD2. Please review\n the CVE identifiers referenced below for details.\n \nImpact :\n\n Please review the referenced CVE identifiers for details.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 2, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-06-17T00:00:00", "title": "GLSA-202006-17 : FAAD2: Multiple vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-20194", "CVE-2018-20196", "CVE-2018-19504", "CVE-2019-15296", "CVE-2018-20195", "CVE-2018-20199", "CVE-2018-20357", "CVE-2018-20360", "CVE-2018-19502", "CVE-2018-20361", "CVE-2019-6956", "CVE-2018-20197", "CVE-2018-20359", "CVE-2018-19503", "CVE-2018-20198", "CVE-2018-20358", "CVE-2018-20362"], "modified": "2020-06-17T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:faad2"], "id": "GENTOO_GLSA-202006-17.NASL", "href": "https://www.tenable.com/plugins/nessus/137454", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 202006-17.\n#\n# The advisory text is Copyright (C) 2001-2020 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(137454);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/22\");\n\n script_cve_id(\"CVE-2018-19502\", \"CVE-2018-19503\", \"CVE-2018-19504\", \"CVE-2018-20194\", \"CVE-2018-20195\", \"CVE-2018-20196\", \"CVE-2018-20197\", \"CVE-2018-20198\", \"CVE-2018-20199\", \"CVE-2018-20357\", \"CVE-2018-20358\", \"CVE-2018-20359\", \"CVE-2018-20360\", \"CVE-2018-20361\", \"CVE-2018-20362\", \"CVE-2019-15296\", \"CVE-2019-6956\");\n script_xref(name:\"GLSA\", value:\"202006-17\");\n\n script_name(english:\"GLSA-202006-17 : FAAD2: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is affected by the vulnerability described in GLSA-202006-17\n(FAAD2: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in FAAD2. Please review\n the CVE identifiers referenced below for details.\n \nImpact :\n\n Please review the referenced CVE identifiers for details.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/202006-17\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"All FAAD2 users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=media-libs/faad2-2.9.0'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:faad2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/11/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/17\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"media-libs/faad2\", unaffected:make_list(\"ge 2.9.0\"), vulnerable:make_list(\"lt 2.9.0\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"FAAD2\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2020-10-03T13:20:18", "description": "There is a stack-based buffer underflow in the third instance of the calculate_gain function in libfaad/sbr_hfadj.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. A crafted input will lead to a denial of service or possibly unspecified other impact because limiting the additional noise energy level is mishandled for the G_max <= G case.", "edition": 7, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-12-18T01:29:00", "title": "CVE-2018-20194", "type": "cve", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-20194"], "modified": "2020-06-15T18:15:00", "cpe": ["cpe:/a:audiocoding:freeware_advanced_audio_decoder_2:2.8.8"], "id": "CVE-2018-20194", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-20194", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:audiocoding:freeware_advanced_audio_decoder_2:2.8.8:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T13:20:18", "description": "A NULL pointer dereference was discovered in ifilter_bank of libfaad/filtbank.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. The vulnerability causes a segmentation fault and application crash, which leads to denial of service because adding to windowed output is mishandled in the LONG_START_SEQUENCE case.", "edition": 6, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-12-18T01:29:00", "title": "CVE-2018-20198", "type": "cve", "cwe": ["CWE-476"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-20198"], "modified": "2020-06-15T18:15:00", "cpe": ["cpe:/a:audiocoding:freeware_advanced_audio_decoder_2:2.8.8"], "id": "CVE-2018-20198", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-20198", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:audiocoding:freeware_advanced_audio_decoder_2:2.8.8:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T13:20:18", "description": "A NULL pointer dereference was discovered in ifilter_bank of libfaad/filtbank.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. The vulnerability causes a segmentation fault and application crash because adding to windowed output is mishandled in the EIGHT_SHORT_SEQUENCE case.", "edition": 6, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-12-22T15:29:00", "title": "CVE-2018-20362", "type": "cve", "cwe": ["CWE-476"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-20362"], "modified": "2020-06-15T18:15:00", "cpe": ["cpe:/a:audiocoding:freeware_advanced_audio_decoder_2:2.8.8"], "id": "CVE-2018-20362", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-20362", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:audiocoding:freeware_advanced_audio_decoder_2:2.8.8:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T13:20:18", "description": "There is a stack-based buffer underflow in the third instance of the calculate_gain function in libfaad/sbr_hfadj.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. A crafted input will lead to a denial of service or possibly unspecified other impact because limiting the additional noise energy level is mishandled for the G_max > G case.", "edition": 7, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-12-18T01:29:00", "title": "CVE-2018-20197", "type": "cve", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-20197"], "modified": "2020-06-15T18:15:00", "cpe": ["cpe:/a:audiocoding:freeware_advanced_audio_decoder_2:2.8.8"], "id": "CVE-2018-20197", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-20197", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:audiocoding:freeware_advanced_audio_decoder_2:2.8.8:*:*:*:*:*:*:*"]}], "debian": [{"lastseen": "2020-08-12T00:51:14", "bulletinFamily": "unix", "cvelist": ["CVE-2018-20194", "CVE-2018-19504", "CVE-2019-15296", "CVE-2018-20195", "CVE-2018-20357", "CVE-2018-19502", "CVE-2018-20361", "CVE-2018-20197", "CVE-2018-20359", "CVE-2018-19503", "CVE-2018-20198", "CVE-2018-20358", "CVE-2018-20362"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4522-1 security@debian.org\nhttps://www.debian.org/security/ Hugo Lefeuvre\nSeptember 15, 2019 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : faad2\nCVE ID : CVE-2018-19502 CVE-2018-19503 CVE-2018-19504 CVE-2018-20194 \n CVE-2018-20195 CVE-2018-20197 CVE-2018-20198 CVE-2018-20357 \n CVE-2018-20358 CVE-2018-20359 CVE-2018-20361 CVE-2018-20362 \n CVE-2019-15296\nDebian Bug : 914641\n\nMultiple vulnerabilities have been discovered in faad2, the Freeware Advanced\nAudio Coder. These vulnerabilities might allow remote attackers to cause\ndenial-of-service, or potentially execute arbitrary code if crafted MPEG AAC\nfiles are processed.\n\nFor the oldstable distribution (stretch), these problems have been fixed\nin version 2.8.0~cvs20161113-1+deb9u2.\n\nWe recommend that you upgrade your faad2 packages.\n\nFor the detailed security status of faad2 please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/faad2\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 9, "modified": "2019-09-15T15:56:04", "published": "2019-09-15T15:56:04", "id": "DEBIAN:DSA-4522-1:BED85", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2019/msg00170.html", "title": "[SECURITY] [DSA 4522-1] faad2 security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "gentoo": [{"lastseen": "2020-06-15T19:22:55", "bulletinFamily": "unix", "cvelist": ["CVE-2018-20194", "CVE-2018-20196", "CVE-2018-19504", "CVE-2019-15296", "CVE-2018-20195", "CVE-2018-20199", "CVE-2018-20357", "CVE-2018-20360", "CVE-2018-19502", "CVE-2018-20361", "CVE-2019-6956", "CVE-2018-20197", "CVE-2018-20359", "CVE-2018-19503", "CVE-2018-20198", "CVE-2018-20358", "CVE-2018-20362"], "description": "### Background\n\nFAAD2 is an open source MPEG-4 and MPEG-2 AAC decoder.\n\n### Description\n\nMultiple vulnerabilities have been discovered in FAAD2. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nPlease review the referenced CVE identifiers for details.\n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll FAAD2 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=media-libs/faad2-2.9.0\"", "edition": 1, "modified": "2020-06-15T00:00:00", "published": "2020-06-15T00:00:00", "id": "GLSA-202006-17", "href": "https://security.gentoo.org/glsa/202006-17", "title": "FAAD2: Multiple vulnerabilities", "type": "gentoo", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}
