rhsa-2015_0698
Vulnerability from csaf_redhat
Published
2015-03-18 12:11
Modified
2024-11-14 16:29
Summary
Red Hat Security Advisory: rhevm-spice-client security, bug fix, and enhancement update

Notes

Topic
Updated rhevm-spice-client packages that fix multiple security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Virtualization Manager 3. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.
Details
Red Hat Enterprise Virtualization Manager provides access to virtual machines using SPICE. These SPICE client packages provide the SPICE client and usbclerk service for both Windows 32-bit operating systems and Windows 64-bit operating systems. This update adds support for the TLS Fallback Signaling Cipher Suite Value (TLS_FALLBACK_SCSV), which can be used to prevent protocol downgrade attacks against applications which re-connect using a lower SSL/TLS protocol version when the initial connection indicating the highest supported protocol version fails. This can prevent a forceful downgrade of the communication to SSL 3.0. The SSL 3.0 protocol was found to be vulnerable to the padding oracle attack when using block cipher suites in cipher block chaining (CBC) mode. This issue is identified as CVE-2014-3566, and also known under the alias POODLE. This SSL 3.0 protocol flaw will not be addressed in a future update; it is recommended that users configure their applications to require at least TLS protocol version 1.0 for secure communication. For additional information about this flaw, see the Knowledgebase article at https://access.redhat.com/articles/1232123 Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. (CVE-2014-8138, CVE-2014-8157, CVE-2014-8158, CVE-2014-9029, CVE-2014-8137, CVE-2011-4516, CVE-2011-4517, CVE-2008-3520, CVE-2008-3522) Red Hat would like to thank oCERT for reporting CVE-2014-8137, CVE-2014-8138, CVE-2014-8157, CVE-2014-8158, CVE-2014-9029, CVE-2011-4516, and CVE-2011-4517. oCERT acknowledges Jose Duart of the Google Security Team as the original reporter of CVE-2014-8137 and CVE-2014-8138; and pyddeh as the original reporter of CVE-2014-8157 and CVE-2014-8158. The mingw-openssl and mingw-jasper packages have been upgraded to the latest upstream version, which provides a number of bug fixes and enhancements over the previous version. (BZ#1187585) This update also fixes the following bugs: * Previously, a guest system installed with tools incorrectly always started in full screen mode, even when the "Open in Full Screen" option was unchecked in console options. Now, when connecting in window mode with the option unchecked, the guest system starts in a window as expected. (BZ#1172126) * Prior to this update, copying and pasting of images from the client to the guest did not work when spice-gtk was built from upstream. Now, images can be copied and pasted without problems. (BZ#1187270) In addition, this update adds the following enhancement: * Administrators now have the option of automatic multiuser installation of virt-viewer onto many client workstations. (BZ#1187272) All rhevm-spice-client users are advised to upgrade to these updated packages, which correct these issues and add these enhancement.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.


To clipboard 

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Updated rhevm-spice-client packages that fix multiple security issues,\nseveral bugs, and add one enhancement are now available for Red Hat\nEnterprise Virtualization Manager 3.\n\nRed Hat Product Security has rated this update as having Important security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat Enterprise Virtualization Manager provides access to virtual\nmachines using SPICE. These SPICE client packages provide the SPICE client\nand usbclerk service for both Windows 32-bit operating systems and Windows\n64-bit operating systems.\n\nThis update adds support for the TLS Fallback Signaling Cipher Suite Value\n(TLS_FALLBACK_SCSV), which can be used to prevent protocol downgrade\nattacks against applications which re-connect using a lower SSL/TLS\nprotocol version when the initial connection indicating the highest\nsupported protocol version fails.\n\nThis can prevent a forceful downgrade of the communication to SSL 3.0.\nThe SSL 3.0 protocol was found to be vulnerable to the padding oracle\nattack when using block cipher suites in cipher block chaining (CBC) mode.\nThis issue is identified as CVE-2014-3566, and also known under the alias\nPOODLE. This SSL 3.0 protocol flaw will not be addressed in a future\nupdate; it is recommended that users configure their applications to\nrequire at least TLS protocol version 1.0 for secure communication.\n\nFor additional information about this flaw, see the Knowledgebase article\nat https://access.redhat.com/articles/1232123\n\nMultiple flaws were found in the way JasPer decoded JPEG 2000 image files.\nA specially crafted file could cause an application using JasPer to crash\nor, possibly, execute arbitrary code. (CVE-2014-8138, CVE-2014-8157,\nCVE-2014-8158, CVE-2014-9029, CVE-2014-8137, CVE-2011-4516, CVE-2011-4517,\nCVE-2008-3520, CVE-2008-3522)\n\nRed Hat would like to thank oCERT for reporting CVE-2014-8137,\nCVE-2014-8138, CVE-2014-8157, CVE-2014-8158, CVE-2014-9029, CVE-2011-4516,\nand CVE-2011-4517. oCERT acknowledges Jose Duart of the Google Security\nTeam as the original reporter of CVE-2014-8137 and CVE-2014-8138; and\npyddeh as the original reporter of CVE-2014-8157 and CVE-2014-8158.\n\nThe mingw-openssl and mingw-jasper packages have been upgraded to the\nlatest upstream version, which provides a number of bug fixes and\nenhancements over the previous version. (BZ#1187585)\n\nThis update also fixes the following bugs:\n\n* Previously, a guest system installed with tools incorrectly always\nstarted in full screen mode, even when the \"Open in Full Screen\" option was\nunchecked in console options. Now, when connecting in window mode with the\noption unchecked, the guest system starts in a window as expected.\n(BZ#1172126)\n\n* Prior to this update, copying and pasting of images from the client to\nthe guest did not work when spice-gtk was built from upstream. Now, images\ncan be copied and pasted without problems. (BZ#1187270)\n\nIn addition, this update adds the following enhancement:\n\n* Administrators now have the option of automatic multiuser installation of\nvirt-viewer onto many client workstations. (BZ#1187272)\n\nAll rhevm-spice-client users are advised to upgrade to these updated\npackages, which correct these issues and add these enhancement.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2015:0698",
        "url": "https://access.redhat.com/errata/RHSA-2015:0698"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "461476",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=461476"
      },
      {
        "category": "external",
        "summary": "461478",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=461478"
      },
      {
        "category": "external",
        "summary": "747726",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=747726"
      },
      {
        "category": "external",
        "summary": "1167537",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1167537"
      },
      {
        "category": "external",
        "summary": "1172126",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1172126"
      },
      {
        "category": "external",
        "summary": "1173157",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1173157"
      },
      {
        "category": "external",
        "summary": "1173162",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1173162"
      },
      {
        "category": "external",
        "summary": "1179282",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1179282"
      },
      {
        "category": "external",
        "summary": "1179298",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1179298"
      },
      {
        "category": "external",
        "summary": "1187270",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1187270"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_0698.json"
      }
    ],
    "title": "Red Hat Security Advisory: rhevm-spice-client security, bug fix, and enhancement update",
    "tracking": {
      "current_release_date": "2024-11-14T16:29:52+00:00",
      "generator": {
        "date": "2024-11-14T16:29:52+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.0"
        }
      },
      "id": "RHSA-2015:0698",
      "initial_release_date": "2015-03-18T12:11:46+00:00",
      "revision_history": [
        {
          "date": "2015-03-18T12:11:46+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2015-03-18T12:11:47+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-14T16:29:52+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "RHEV-M 3.5",
                "product": {
                  "name": "RHEV-M 3.5",
                  "product_id": "6Server-RHEV-S-3.5",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:rhev_manager:3"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Virtualization"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rhevm-spice-client-0:3.5-3.el6.src",
                "product": {
                  "name": "rhevm-spice-client-0:3.5-3.el6.src",
                  "product_id": "rhevm-spice-client-0:3.5-3.el6.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rhevm-spice-client@3.5-3.el6?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rhevm-spice-client-x86-cab-0:3.5-3.el6.noarch",
                "product": {
                  "name": "rhevm-spice-client-x86-cab-0:3.5-3.el6.noarch",
                  "product_id": "rhevm-spice-client-x86-cab-0:3.5-3.el6.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rhevm-spice-client-x86-cab@3.5-3.el6?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhevm-spice-client-x64-msi-0:3.5-3.el6.noarch",
                "product": {
                  "name": "rhevm-spice-client-x64-msi-0:3.5-3.el6.noarch",
                  "product_id": "rhevm-spice-client-x64-msi-0:3.5-3.el6.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rhevm-spice-client-x64-msi@3.5-3.el6?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhevm-spice-client-x86-msi-0:3.5-3.el6.noarch",
                "product": {
                  "name": "rhevm-spice-client-x86-msi-0:3.5-3.el6.noarch",
                  "product_id": "rhevm-spice-client-x86-msi-0:3.5-3.el6.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rhevm-spice-client-x86-msi@3.5-3.el6?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhevm-spice-client-x64-cab-0:3.5-3.el6.noarch",
                "product": {
                  "name": "rhevm-spice-client-x64-cab-0:3.5-3.el6.noarch",
                  "product_id": "rhevm-spice-client-x64-cab-0:3.5-3.el6.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rhevm-spice-client-x64-cab@3.5-3.el6?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhevm-spice-client-0:3.5-3.el6.src as a component of RHEV-M 3.5",
          "product_id": "6Server-RHEV-S-3.5:rhevm-spice-client-0:3.5-3.el6.src"
        },
        "product_reference": "rhevm-spice-client-0:3.5-3.el6.src",
        "relates_to_product_reference": "6Server-RHEV-S-3.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhevm-spice-client-x64-cab-0:3.5-3.el6.noarch as a component of RHEV-M 3.5",
          "product_id": "6Server-RHEV-S-3.5:rhevm-spice-client-x64-cab-0:3.5-3.el6.noarch"
        },
        "product_reference": "rhevm-spice-client-x64-cab-0:3.5-3.el6.noarch",
        "relates_to_product_reference": "6Server-RHEV-S-3.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhevm-spice-client-x64-msi-0:3.5-3.el6.noarch as a component of RHEV-M 3.5",
          "product_id": "6Server-RHEV-S-3.5:rhevm-spice-client-x64-msi-0:3.5-3.el6.noarch"
        },
        "product_reference": "rhevm-spice-client-x64-msi-0:3.5-3.el6.noarch",
        "relates_to_product_reference": "6Server-RHEV-S-3.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhevm-spice-client-x86-cab-0:3.5-3.el6.noarch as a component of RHEV-M 3.5",
          "product_id": "6Server-RHEV-S-3.5:rhevm-spice-client-x86-cab-0:3.5-3.el6.noarch"
        },
        "product_reference": "rhevm-spice-client-x86-cab-0:3.5-3.el6.noarch",
        "relates_to_product_reference": "6Server-RHEV-S-3.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhevm-spice-client-x86-msi-0:3.5-3.el6.noarch as a component of RHEV-M 3.5",
          "product_id": "6Server-RHEV-S-3.5:rhevm-spice-client-x86-msi-0:3.5-3.el6.noarch"
        },
        "product_reference": "rhevm-spice-client-x86-msi-0:3.5-3.el6.noarch",
        "relates_to_product_reference": "6Server-RHEV-S-3.5"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2008-3520",
      "cwe": {
        "id": "CWE-190",
        "name": "Integer Overflow or Wraparound"
      },
      "discovery_date": "2008-05-19T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "461476"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Multiple integer overflows in JasPer 1.900.1 might allow context-dependent attackers to have an unknown impact via a crafted image file, related to integer multiplication for memory allocation.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jasper: multiple integer overflows in jas_alloc calls",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-RHEV-S-3.5:rhevm-spice-client-0:3.5-3.el6.src",
          "6Server-RHEV-S-3.5:rhevm-spice-client-x64-cab-0:3.5-3.el6.noarch",
          "6Server-RHEV-S-3.5:rhevm-spice-client-x64-msi-0:3.5-3.el6.noarch",
          "6Server-RHEV-S-3.5:rhevm-spice-client-x86-cab-0:3.5-3.el6.noarch",
          "6Server-RHEV-S-3.5:rhevm-spice-client-x86-msi-0:3.5-3.el6.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2008-3520"
        },
        {
          "category": "external",
          "summary": "RHBZ#461476",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=461476"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2008-3520",
          "url": "https://www.cve.org/CVERecord?id=CVE-2008-3520"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2008-3520",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-3520"
        }
      ],
      "release_date": "2008-09-08T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2015-03-18T12:11:46+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "6Server-RHEV-S-3.5:rhevm-spice-client-0:3.5-3.el6.src",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x64-cab-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x64-msi-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x86-cab-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x86-msi-0:3.5-3.el6.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2015:0698"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "6Server-RHEV-S-3.5:rhevm-spice-client-0:3.5-3.el6.src",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x64-cab-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x64-msi-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x86-cab-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x86-msi-0:3.5-3.el6.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jasper: multiple integer overflows in jas_alloc calls"
    },
    {
      "cve": "CVE-2008-3522",
      "cwe": {
        "id": "CWE-122",
        "name": "Heap-based Buffer Overflow"
      },
      "discovery_date": "2008-05-19T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "461478"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Buffer overflow in the jas_stream_printf function in libjasper/base/jas_stream.c in JasPer 1.900.1 might allow context-dependent attackers to have an unknown impact via vectors related to the mif_hdr_put function and use of vsprintf.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jasper: possible buffer overflow in jas_stream_printf()",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-RHEV-S-3.5:rhevm-spice-client-0:3.5-3.el6.src",
          "6Server-RHEV-S-3.5:rhevm-spice-client-x64-cab-0:3.5-3.el6.noarch",
          "6Server-RHEV-S-3.5:rhevm-spice-client-x64-msi-0:3.5-3.el6.noarch",
          "6Server-RHEV-S-3.5:rhevm-spice-client-x86-cab-0:3.5-3.el6.noarch",
          "6Server-RHEV-S-3.5:rhevm-spice-client-x86-msi-0:3.5-3.el6.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2008-3522"
        },
        {
          "category": "external",
          "summary": "RHBZ#461478",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=461478"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2008-3522",
          "url": "https://www.cve.org/CVERecord?id=CVE-2008-3522"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2008-3522",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-3522"
        }
      ],
      "release_date": "2008-09-08T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2015-03-18T12:11:46+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "6Server-RHEV-S-3.5:rhevm-spice-client-0:3.5-3.el6.src",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x64-cab-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x64-msi-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x86-cab-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x86-msi-0:3.5-3.el6.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2015:0698"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "6Server-RHEV-S-3.5:rhevm-spice-client-0:3.5-3.el6.src",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x64-cab-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x64-msi-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x86-cab-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x86-msi-0:3.5-3.el6.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jasper: possible buffer overflow in jas_stream_printf()"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Jonathan Foote"
          ],
          "organization": "CERT Coordination Center"
        }
      ],
      "cve": "CVE-2011-4516",
      "cwe": {
        "id": "CWE-122",
        "name": "Heap-based Buffer Overflow"
      },
      "discovery_date": "2011-10-20T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "747726"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A heap-based buffer overflow flaw was found in the way JasPer decoded JPEG 2000 compressed image files. An attacker could create a malicious JPEG 2000 compressed image file that, when opened, would cause applications that use JasPer (such as Nautilus) to crash or, potentially, execute arbitrary code.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jasper: heap buffer overflow flaws lead to arbitrary code execution (CERT VU#887409)",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-RHEV-S-3.5:rhevm-spice-client-0:3.5-3.el6.src",
          "6Server-RHEV-S-3.5:rhevm-spice-client-x64-cab-0:3.5-3.el6.noarch",
          "6Server-RHEV-S-3.5:rhevm-spice-client-x64-msi-0:3.5-3.el6.noarch",
          "6Server-RHEV-S-3.5:rhevm-spice-client-x86-cab-0:3.5-3.el6.noarch",
          "6Server-RHEV-S-3.5:rhevm-spice-client-x86-msi-0:3.5-3.el6.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2011-4516"
        },
        {
          "category": "external",
          "summary": "RHBZ#747726",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=747726"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2011-4516",
          "url": "https://www.cve.org/CVERecord?id=CVE-2011-4516"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2011-4516",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-4516"
        }
      ],
      "release_date": "2011-12-08T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2015-03-18T12:11:46+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "6Server-RHEV-S-3.5:rhevm-spice-client-0:3.5-3.el6.src",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x64-cab-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x64-msi-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x86-cab-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x86-msi-0:3.5-3.el6.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2015:0698"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "6Server-RHEV-S-3.5:rhevm-spice-client-0:3.5-3.el6.src",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x64-cab-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x64-msi-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x86-cab-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x86-msi-0:3.5-3.el6.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "jasper: heap buffer overflow flaws lead to arbitrary code execution (CERT VU#887409)"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Jonathan Foote"
          ],
          "organization": "CERT Coordination Center"
        }
      ],
      "cve": "CVE-2011-4517",
      "cwe": {
        "id": "CWE-122",
        "name": "Heap-based Buffer Overflow"
      },
      "discovery_date": "2011-10-20T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "747726"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A heap-based buffer overflow flaw was found in the way JasPer decoded JPEG 2000 compressed image files. An attacker could create a malicious JPEG 2000 compressed image file that, when opened, would cause applications that use JasPer (such as Nautilus) to crash or, potentially, execute arbitrary code.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jasper: heap buffer overflow flaws lead to arbitrary code execution (CERT VU#887409)",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-RHEV-S-3.5:rhevm-spice-client-0:3.5-3.el6.src",
          "6Server-RHEV-S-3.5:rhevm-spice-client-x64-cab-0:3.5-3.el6.noarch",
          "6Server-RHEV-S-3.5:rhevm-spice-client-x64-msi-0:3.5-3.el6.noarch",
          "6Server-RHEV-S-3.5:rhevm-spice-client-x86-cab-0:3.5-3.el6.noarch",
          "6Server-RHEV-S-3.5:rhevm-spice-client-x86-msi-0:3.5-3.el6.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2011-4517"
        },
        {
          "category": "external",
          "summary": "RHBZ#747726",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=747726"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2011-4517",
          "url": "https://www.cve.org/CVERecord?id=CVE-2011-4517"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2011-4517",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-4517"
        }
      ],
      "release_date": "2011-12-08T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2015-03-18T12:11:46+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "6Server-RHEV-S-3.5:rhevm-spice-client-0:3.5-3.el6.src",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x64-cab-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x64-msi-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x86-cab-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x86-msi-0:3.5-3.el6.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2015:0698"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "6Server-RHEV-S-3.5:rhevm-spice-client-0:3.5-3.el6.src",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x64-cab-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x64-msi-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x86-cab-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x86-msi-0:3.5-3.el6.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "jasper: heap buffer overflow flaws lead to arbitrary code execution (CERT VU#887409)"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "oCERT"
          ]
        }
      ],
      "cve": "CVE-2014-8137",
      "cwe": {
        "id": "CWE-416",
        "name": "Use After Free"
      },
      "discovery_date": "2014-12-10T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1173157"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A double free flaw was found in the way JasPer parsed ICC color profiles in JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jasper: double-free in in jas_iccattrval_destroy() (oCERT-2014-012)",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-RHEV-S-3.5:rhevm-spice-client-0:3.5-3.el6.src",
          "6Server-RHEV-S-3.5:rhevm-spice-client-x64-cab-0:3.5-3.el6.noarch",
          "6Server-RHEV-S-3.5:rhevm-spice-client-x64-msi-0:3.5-3.el6.noarch",
          "6Server-RHEV-S-3.5:rhevm-spice-client-x86-cab-0:3.5-3.el6.noarch",
          "6Server-RHEV-S-3.5:rhevm-spice-client-x86-msi-0:3.5-3.el6.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-8137"
        },
        {
          "category": "external",
          "summary": "RHBZ#1173157",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1173157"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-8137",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-8137"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-8137",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-8137"
        },
        {
          "category": "external",
          "summary": "http://www.ocert.org/advisories/ocert-2014-012.html",
          "url": "http://www.ocert.org/advisories/ocert-2014-012.html"
        }
      ],
      "release_date": "2014-12-18T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2015-03-18T12:11:46+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "6Server-RHEV-S-3.5:rhevm-spice-client-0:3.5-3.el6.src",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x64-cab-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x64-msi-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x86-cab-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x86-msi-0:3.5-3.el6.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2015:0698"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.1,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "6Server-RHEV-S-3.5:rhevm-spice-client-0:3.5-3.el6.src",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x64-cab-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x64-msi-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x86-cab-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x86-msi-0:3.5-3.el6.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "jasper: double-free in in jas_iccattrval_destroy() (oCERT-2014-012)"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "oCERT"
          ]
        }
      ],
      "cve": "CVE-2014-8138",
      "cwe": {
        "id": "CWE-122",
        "name": "Heap-based Buffer Overflow"
      },
      "discovery_date": "2014-12-10T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1173162"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A heap-based buffer overflow flaw was found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jasper: heap overflow in jp2_decode() (oCERT-2014-012)",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-RHEV-S-3.5:rhevm-spice-client-0:3.5-3.el6.src",
          "6Server-RHEV-S-3.5:rhevm-spice-client-x64-cab-0:3.5-3.el6.noarch",
          "6Server-RHEV-S-3.5:rhevm-spice-client-x64-msi-0:3.5-3.el6.noarch",
          "6Server-RHEV-S-3.5:rhevm-spice-client-x86-cab-0:3.5-3.el6.noarch",
          "6Server-RHEV-S-3.5:rhevm-spice-client-x86-msi-0:3.5-3.el6.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-8138"
        },
        {
          "category": "external",
          "summary": "RHBZ#1173162",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1173162"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-8138",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-8138"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-8138",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-8138"
        },
        {
          "category": "external",
          "summary": "http://www.ocert.org/advisories/ocert-2014-012.html",
          "url": "http://www.ocert.org/advisories/ocert-2014-012.html"
        }
      ],
      "release_date": "2014-12-18T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2015-03-18T12:11:46+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "6Server-RHEV-S-3.5:rhevm-spice-client-0:3.5-3.el6.src",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x64-cab-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x64-msi-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x86-cab-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x86-msi-0:3.5-3.el6.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2015:0698"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "6Server-RHEV-S-3.5:rhevm-spice-client-0:3.5-3.el6.src",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x64-cab-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x64-msi-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x86-cab-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x86-msi-0:3.5-3.el6.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "jasper: heap overflow in jp2_decode() (oCERT-2014-012)"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "oCERT"
          ]
        }
      ],
      "cve": "CVE-2014-8157",
      "cwe": {
        "id": "CWE-122",
        "name": "Heap-based Buffer Overflow"
      },
      "discovery_date": "2015-01-06T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1179282"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "An off-by-one flaw, leading to a heap-based buffer overflow, was found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jasper: dec-\u003enumtiles off-by-one check in jpc_dec_process_sot() (oCERT-2015-001)",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-RHEV-S-3.5:rhevm-spice-client-0:3.5-3.el6.src",
          "6Server-RHEV-S-3.5:rhevm-spice-client-x64-cab-0:3.5-3.el6.noarch",
          "6Server-RHEV-S-3.5:rhevm-spice-client-x64-msi-0:3.5-3.el6.noarch",
          "6Server-RHEV-S-3.5:rhevm-spice-client-x86-cab-0:3.5-3.el6.noarch",
          "6Server-RHEV-S-3.5:rhevm-spice-client-x86-msi-0:3.5-3.el6.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-8157"
        },
        {
          "category": "external",
          "summary": "RHBZ#1179282",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1179282"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-8157",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-8157"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-8157",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-8157"
        },
        {
          "category": "external",
          "summary": "http://www.ocert.org/advisories/ocert-2015-001.html",
          "url": "http://www.ocert.org/advisories/ocert-2015-001.html"
        }
      ],
      "release_date": "2015-01-21T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2015-03-18T12:11:46+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "6Server-RHEV-S-3.5:rhevm-spice-client-0:3.5-3.el6.src",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x64-cab-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x64-msi-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x86-cab-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x86-msi-0:3.5-3.el6.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2015:0698"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "6Server-RHEV-S-3.5:rhevm-spice-client-0:3.5-3.el6.src",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x64-cab-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x64-msi-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x86-cab-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x86-msi-0:3.5-3.el6.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "jasper: dec-\u003enumtiles off-by-one check in jpc_dec_process_sot() (oCERT-2015-001)"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "oCERT"
          ]
        }
      ],
      "cve": "CVE-2014-8158",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2014-01-06T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1179298"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "An unrestricted stack memory use flaw was found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jasper: unrestricted stack memory use in jpc_qmfb.c (oCERT-2015-001)",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-RHEV-S-3.5:rhevm-spice-client-0:3.5-3.el6.src",
          "6Server-RHEV-S-3.5:rhevm-spice-client-x64-cab-0:3.5-3.el6.noarch",
          "6Server-RHEV-S-3.5:rhevm-spice-client-x64-msi-0:3.5-3.el6.noarch",
          "6Server-RHEV-S-3.5:rhevm-spice-client-x86-cab-0:3.5-3.el6.noarch",
          "6Server-RHEV-S-3.5:rhevm-spice-client-x86-msi-0:3.5-3.el6.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-8158"
        },
        {
          "category": "external",
          "summary": "RHBZ#1179298",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1179298"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-8158",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-8158"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-8158",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-8158"
        },
        {
          "category": "external",
          "summary": "http://www.ocert.org/advisories/ocert-2015-001.html",
          "url": "http://www.ocert.org/advisories/ocert-2015-001.html"
        }
      ],
      "release_date": "2015-01-21T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2015-03-18T12:11:46+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "6Server-RHEV-S-3.5:rhevm-spice-client-0:3.5-3.el6.src",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x64-cab-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x64-msi-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x86-cab-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x86-msi-0:3.5-3.el6.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2015:0698"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.1,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "6Server-RHEV-S-3.5:rhevm-spice-client-0:3.5-3.el6.src",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x64-cab-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x64-msi-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x86-cab-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x86-msi-0:3.5-3.el6.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jasper: unrestricted stack memory use in jpc_qmfb.c (oCERT-2015-001)"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "oCERT"
          ]
        }
      ],
      "cve": "CVE-2014-9029",
      "cwe": {
        "id": "CWE-122",
        "name": "Heap-based Buffer Overflow"
      },
      "discovery_date": "2014-11-20T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1167537"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Multiple off-by-one flaws, leading to heap-based buffer overflows, were found in the way JasPer decoded JPEG 2000 files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jasper: incorrect component number check in COC, RGN and QCC marker segment decoders (oCERT-2014-009)",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-RHEV-S-3.5:rhevm-spice-client-0:3.5-3.el6.src",
          "6Server-RHEV-S-3.5:rhevm-spice-client-x64-cab-0:3.5-3.el6.noarch",
          "6Server-RHEV-S-3.5:rhevm-spice-client-x64-msi-0:3.5-3.el6.noarch",
          "6Server-RHEV-S-3.5:rhevm-spice-client-x86-cab-0:3.5-3.el6.noarch",
          "6Server-RHEV-S-3.5:rhevm-spice-client-x86-msi-0:3.5-3.el6.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-9029"
        },
        {
          "category": "external",
          "summary": "RHBZ#1167537",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1167537"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-9029",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-9029"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-9029",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9029"
        },
        {
          "category": "external",
          "summary": "http://www.ocert.org/advisories/ocert-2014-009.html",
          "url": "http://www.ocert.org/advisories/ocert-2014-009.html"
        }
      ],
      "release_date": "2014-12-04T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2015-03-18T12:11:46+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "6Server-RHEV-S-3.5:rhevm-spice-client-0:3.5-3.el6.src",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x64-cab-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x64-msi-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x86-cab-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x86-msi-0:3.5-3.el6.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2015:0698"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "6Server-RHEV-S-3.5:rhevm-spice-client-0:3.5-3.el6.src",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x64-cab-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x64-msi-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x86-cab-0:3.5-3.el6.noarch",
            "6Server-RHEV-S-3.5:rhevm-spice-client-x86-msi-0:3.5-3.el6.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "jasper: incorrect component number check in COC, RGN and QCC marker segment decoders (oCERT-2014-009)"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.