CVE-2019-20838 and CVE-2020-14155

42 views
Skip to first unread message

Jeffrey Walton

unread,
May 17, 2022, 12:41:01 PM5/17/22
to PCRE2 discussion list
Hi Everyone,

I see PCRE2 recently had a couple of CVE's against it. The CVE's are
CVE-2019-20838 and CVE-2020-14155. It appears Ubuntu has patched them
[1].

Looking at the ChangeLog [2] and NEWS [3] I don't see any mention of them.

Have the issues been fixed (part of 10.40?)? Or are we waiting for a
fix and a new release?

Thanks in advance.

[1] https://ubuntu.com/security/notices/USN-5425-1
[2] https://github.com/PCRE2Project/pcre2/blob/master/ChangeLog
[3] https://github.com/PCRE2Project/pcre2/blob/master/NEWS

Giuseppe D'Angelo

unread,
May 17, 2022, 12:53:22 PM5/17/22
to nolo...@gmail.com, PCRE2 discussion list
Hello,

On Tue, 17 May 2022 at 18:41, Jeffrey Walton <nolo...@gmail.com> wrote:
>
> Hi Everyone,
>
> I see PCRE2 recently had a couple of CVE's against it. The CVE's are
> CVE-2019-20838 and CVE-2020-14155. It appears Ubuntu has patched them
> [1].

Those CVEs are against PCRE1, not PCRE2. The latest PCRE1 version
(8.45) contains fixes for both of them, as reported by mitre.


>
> Looking at the ChangeLog [2] and NEWS [3] I don't see any mention of them.
>
> Have the issues been fixed (part of 10.40?)? Or are we waiting for a
> fix and a new release?

Those files are for PCRE2, not PCRE1. To be pedantic, PCRE1's
changelog doesn't mention the CVEs in question either...

But anyways: please note that PCRE1 has already reached EOL and it's
unmaintained, so it should not be used any longer. Any security issue
in there may not get fixed.

HTH,
--
Giuseppe D'Angelo

Jeffrey Walton

unread,
May 17, 2022, 1:06:23 PM5/17/22
to Giuseppe D'Angelo, PCRE2 discussion list
Oh, thanks. I did not realize that was PCRE1...

Jeff
Reply all
Reply to author
Forward
0 new messages