Errata overview
Errata ID 457
Date 2019-03-20
Source package liblivemedia
Fixed in version 2016.11.28-1+deb9u2
This update addresses the following issues:
* A Denial of Service issue was discovered in the LIVE555 Streaming Media
  libraries. It can cause an RTSPServer crash in handleHTTPCmd_TunnelingPOST,
  when RTSP-over-HTTP tunneling is supported, via x-sessioncookie HTTP
  headers in a GET request and a POST request within the same TCP session.
  This occurs because of a call to an incorrect virtual function pointer in
  the readSocket function in GroupsockHelper.cpp. (CVE-2019-6256)
* liblivemedia mishandles the termination of an RTSP stream after
  RTP/RTCP-over-RTSP has been set up, which could lead to a Use-After-Free
  error that causes the RTSP server to crash (Segmentation fault) or possibly
  have unspecified other impact. (CVE-2019-7314)
* In Live555, malformed headers lead to invalid memory access in the
  parseAuthorizationHeader function. (CVE-2019-9215)
Additional notes
CVE ID CVE-2019-6256
UCS Bug number #49021