CVE-2019-20838 and CVE-2020-14155
36 views
Skip to first unread message
Jeffrey Walton
May 17, 2022, 12:41:01 PM5/17/22
to PCRE2 discussion list
Hi Everyone,
I see PCRE2 recently had a couple of CVE's against it. The CVE's are
CVE-2019-20838 and CVE-2020-14155. It appears Ubuntu has patched them
[1].
Looking at the ChangeLog [2] and NEWS [3] I don't see any mention of them.
Have the issues been fixed (part of 10.40?)? Or are we waiting for a
fix and a new release?
Thanks in advance.
[1] https://ubuntu.com/security/notices/USN-5425-1
[2] https://github.com/PCRE2Project/pcre2/blob/master/ChangeLog
[3] https://github.com/PCRE2Project/pcre2/blob/master/NEWS
I see PCRE2 recently had a couple of CVE's against it. The CVE's are
CVE-2019-20838 and CVE-2020-14155. It appears Ubuntu has patched them
[1].
Looking at the ChangeLog [2] and NEWS [3] I don't see any mention of them.
Have the issues been fixed (part of 10.40?)? Or are we waiting for a
fix and a new release?
Thanks in advance.
[1] https://ubuntu.com/security/notices/USN-5425-1
[2] https://github.com/PCRE2Project/pcre2/blob/master/ChangeLog
[3] https://github.com/PCRE2Project/pcre2/blob/master/NEWS
Giuseppe D'Angelo
May 17, 2022, 12:53:22 PM5/17/22
to nolo...@gmail.com, PCRE2 discussion list
Hello,
On Tue, 17 May 2022 at 18:41, Jeffrey Walton <nolo...@gmail.com> wrote:
>
> Hi Everyone,
>
> I see PCRE2 recently had a couple of CVE's against it. The CVE's are
> CVE-2019-20838 and CVE-2020-14155. It appears Ubuntu has patched them
> [1].
Those CVEs are against PCRE1, not PCRE2. The latest PCRE1 version
(8.45) contains fixes for both of them, as reported by mitre.
>
> Looking at the ChangeLog [2] and NEWS [3] I don't see any mention of them.
>
> Have the issues been fixed (part of 10.40?)? Or are we waiting for a
> fix and a new release?
Those files are for PCRE2, not PCRE1. To be pedantic, PCRE1's
changelog doesn't mention the CVEs in question either...
But anyways: please note that PCRE1 has already reached EOL and it's
unmaintained, so it should not be used any longer. Any security issue
in there may not get fixed.
HTH,
--
Giuseppe D'Angelo
On Tue, 17 May 2022 at 18:41, Jeffrey Walton <nolo...@gmail.com> wrote:
>
> Hi Everyone,
>
> I see PCRE2 recently had a couple of CVE's against it. The CVE's are
> CVE-2019-20838 and CVE-2020-14155. It appears Ubuntu has patched them
> [1].
(8.45) contains fixes for both of them, as reported by mitre.
>
> Looking at the ChangeLog [2] and NEWS [3] I don't see any mention of them.
>
> Have the issues been fixed (part of 10.40?)? Or are we waiting for a
> fix and a new release?
changelog doesn't mention the CVEs in question either...
But anyways: please note that PCRE1 has already reached EOL and it's
unmaintained, so it should not be used any longer. Any security issue
in there may not get fixed.
HTH,
--
Giuseppe D'Angelo
Jeffrey Walton
May 17, 2022, 1:06:23 PM5/17/22
to Giuseppe D'Angelo, PCRE2 discussion list
Jeff
Reply all
Reply to author
Forward
0 new messages