diff options
| author | Guilhem Moulin <guilhem@debian.org> | 2023-03-16 03:40:02 +0100 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@debian.org> | 2023-03-16 03:40:02 +0100 |
| commit | 02e596b9ab402970b6536a73588a5e7176e3c4ca (patch) | |
| tree | 06fd9cb104a1cc35689d29f1e42762375320fe3d | |
| parent | fd17fa6b3dacee0a29127c15211144e74199b439 (diff) | |
DLA-3363-1 for pcre2
| -rw-r--r-- | english/lts/security/2023/dla-3363.data | 10 | ||||
| -rw-r--r-- | english/lts/security/2023/dla-3363.wml | 48 |
2 files changed, 58 insertions, 0 deletions
diff --git a/english/lts/security/2023/dla-3363.data b/english/lts/security/2023/dla-3363.data new file mode 100644 index 00000000000..970dcec9fa7 --- /dev/null +++ b/english/lts/security/2023/dla-3363.data @@ -0,0 +1,10 @@ +<define-tag pagetitle>DLA-3363-1 pcre2</define-tag> +<define-tag report_date>2023-03-16</define-tag> +<define-tag secrefs>CVE-2019-20454 CVE-2022-1586 CVE-2022-1587 Bug#1011954</define-tag> +<define-tag packages>pcre2</define-tag> +<define-tag isvulnerable>yes</define-tag> +<define-tag fixed>yes</define-tag> +<define-tag fixed-section>no</define-tag> + +#use wml::debian::security + diff --git a/english/lts/security/2023/dla-3363.wml b/english/lts/security/2023/dla-3363.wml new file mode 100644 index 00000000000..4a4e40f956d --- /dev/null +++ b/english/lts/security/2023/dla-3363.wml @@ -0,0 +1,48 @@ +<define-tag description>LTS security update</define-tag> +<define-tag moreinfo> +<p>Multiple out-of-bounds read vulnerabilities were found in pcre2, a Perl +Compatible Regular Expression library, which could result in information +disclosure or denial or service.</p> + +<ul> + +<li><a href="https://security-tracker.debian.org/tracker/CVE-2019-20454">CVE-2019-20454</a> + + <p>Out-of-bounds read when the pattern <code>\X</code> is JIT + compiled and used to match specially crafted subjects in non-UTF + mode.</p></li> + +<li><a href="https://security-tracker.debian.org/tracker/CVE-2022-1586">CVE-2022-1586</a> + + <p>Out-of-bounds read involving unicode property matching in + JIT-compiled regular expressions. The issue occurs because the + character was not fully read in case-less matching within JIT.</p></li> + +<li><a href="https://security-tracker.debian.org/tracker/CVE-2022-1587">CVE-2022-1587</a> + + <p>Out-of-bounds read affecting recursions in JIT-compiled regular + expressions caused by duplicate data transfers.</p> + +<p>This upload also fixes a subject buffer overread in JIT when UTF is +disabled and <code>\X</code> or <code>\R</code> has a greater +than 1 fixed quantifier. This issue was found by Yunho Kim.</p></li> + +</ul> + +<p>For Debian 10 buster, these problems have been fixed in version +10.32-5+deb10u1.</p> + +<p>We recommend that you upgrade your pcre2 packages.</p> + +<p>For the detailed security status of pcre2 please refer to +its security tracker page at: +<a href="https://security-tracker.debian.org/tracker/pcre2">https://security-tracker.debian.org/tracker/pcre2</a></p> + +<p>Further information about Debian LTS security advisories, how to apply +these updates to your system and frequently asked questions can be +found at: <a href="https://wiki.debian.org/LTS">https://wiki.debian.org/LTS</a></p> +</define-tag> + +# do not modify the following line +#include "$(ENGLISHDIR)/lts/security/2023/dla-3363.data" +# $Id: $ |