Hello,
On Tue, 17 May 2022 at 18:41, Jeffrey Walton <
nolo...@gmail.com> wrote:
>
> Hi Everyone,
>
> I see PCRE2 recently had a couple of CVE's against it. The CVE's are
> CVE-2019-20838 and CVE-2020-14155. It appears Ubuntu has patched them
> [1].
Those CVEs are against PCRE1, not PCRE2. The latest PCRE1 version
(8.45) contains fixes for both of them, as reported by mitre.
>
> Looking at the ChangeLog [2] and NEWS [3] I don't see any mention of them.
>
> Have the issues been fixed (part of 10.40?)? Or are we waiting for a
> fix and a new release?
Those files are for PCRE2, not PCRE1. To be pedantic, PCRE1's
changelog doesn't mention the CVEs in question either...
But anyways: please note that PCRE1 has already reached EOL and it's
unmaintained, so it should not be used any longer. Any security issue
in there may not get fixed.
HTH,
--
Giuseppe D'Angelo