USN-2739-1 FreeType Vulnerabilities
- libfreetype6 2.5.2-1ubuntu2.5 - FreeType 2 is a font engine library
It was discovered that FreeType did not correctly handle certain malformed font files. If a user were tricked into using a specially crafted font file, a remote attacker could cause FreeType to crash or hang, resulting in a denial of service, or possibly expose uninitialized memory.
Severity is medium unless otherwise noted.
- BOSH: All versions of Cloud Foundry BOSH stemcells prior to v3094 are vulnerable to the aforementioned CVEs.
- Cloud Foundry Runtime: all versions of cf-release prior to 219 are vulnerable to the aforementioned CVEs.
- Products in the PCF Suite which reference BOSH stemcell v3093 or earlier are vulnerable to the aforementioned CVE:
- Ops Manager v1.5.6 or earlier
- Elastic Runtime v1.5.5 or earlier
- Ops Metrics 1.4.3 or earlier
- MySQL for Pivotal Cloud Foundry v1.6.2 or earlier
- Session State Caching Powered by Pivotal Gemfire v1.0.2 or earlier
- RabbitMQ for Pivotal Cloud Foundry v1.4.4 or earlier
- Redis for Pivotal Cloud Foundry v1.4.8 or earlier
Users of affected versions should apply the following mitigation:
- The Cloud Foundry project recommends that Cloud Foundry Deployments using BOSH stemcell v3093 or earlier upgrade to v3094 or later, which contain the patched versions of the Linux kernel to resolve the aforementioned CVE.
- The Cloud Foundry project recommends that Cloud Foundry Deployments using cf-release 218 or lower upgrade to 219 or higher to resolve the aforementioned CVEs.
- Pivotal recommends customers upgrade to the following releases in the PCF Suite: