-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4756-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 29, 2020                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : lilypond
CVE ID         : CVE-2020-17353

Faidon Liambotis discovered that Lilypond, a program for typesetting
sheet music, did not restrict the inclusion of Postscript and SVG
commands when operating in safe mode, which could result in the
execution of arbitrary code when rendering a typesheet file with
embedded Postscript code.

For the stable distribution (buster), this problem has been fixed in
version 2.19.81+really-2.18.2-13+deb10u1.

We recommend that you upgrade your lilypond packages.

For the detailed security status of lilypond please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/lilypond

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl9KkNAACgkQEMKTtsN8
TjZpuQ//Xh9/Lsc/+M8vfyad+dqE4xo+fC2DGbY+AOsHExOcRfb8GJiBWSZxYger
/gm/04GDAhwmNIpFEImC+rFHFfRpSemwLtWaie6dfngtjgRMehS2j2FSasQ4gUF9
ldfGbjV9Cow55801nXeOaG0RZZCkrdOopqVRjxxzOFNESW/J9GFZLNaV6IOrK5JO
5dzZKr2+9CZwx0kXlsqU7LZ2beyj/JgXKzP2vulwxnqrDRz6CU3sG3Jg0dFQbZym
DIpcgYdUf1PgpRSnNyQEyePuwr+PgGRdgZIvnUPMNJ+cVi4M2qW6rcBLtQsHwkoq
kTVtNmiqNXEStv4tKovLVVIgVOA4D5Shg5uBTkRe5NPz+pWlCHplBsJa5SvCLrf4
AFMg9KRlVElmZsK7+T6v0Y9QIayec8D+F5nkgz2D1e7JM+WbIjv0xaz3Uc754cHf
GLUqPldf0SzWoJ1QEtlfr5O+4Pp6TIx0iS0FJC8zRdbhi+ZAwAD0Ba7qCl1jeHDi
MOIgY/MqQExUwhz5aEJU8/rTRey6FhXq8ekmKzk/aPKyZo4d9lyJxLS8Byrh+MQo
/YIp7aVWjpXGYjFRENk1hn7gZ3eha60vDaqA2heFMYa6UAGJ4B4Gf/FWr9frIrJ/
De0GqQoBoEKSuMkCaJZ/ABZwRcilCzpuvbcc7aU/rKladPpH3XA=
=cgrt
-----END PGP SIGNATURE-----