Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.3781 pcre security update 10 November 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: pcre Publisher: Red Hat Operating System: Red Hat Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-14155 CVE-2019-20838 Reference: ESB-2021.3586 ESB-2020.2722 Original Bulletin: https://access.redhat.com/errata/RHSA-2021:4373 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Low: pcre security update Advisory ID: RHSA-2021:4373-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:4373 Issue date: 2021-11-09 CVE Names: CVE-2019-20838 CVE-2020-14155 ===================================================================== 1. Summary: An update for pcre is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux CRB (v. 8) - aarch64, ppc64le, s390x, x86_64 3. Description: PCRE is a Perl-compatible regular expression library. Security Fix(es): * pcre: Buffer over-read in JIT when UTF is disabled and \X or \R has fixed quantifier greater than 1 (CVE-2019-20838) * pcre: Integer overflow when parsing callout numeric arguments (CVE-2020-14155) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1848436 - CVE-2020-14155 pcre: Integer overflow when parsing callout numeric arguments 1848444 - CVE-2019-20838 pcre: Buffer over-read in JIT when UTF is disabled and \X or \R has fixed quantifier greater than 1 6. Package List: Red Hat Enterprise Linux BaseOS (v. 8): Source: pcre-8.42-6.el8.src.rpm aarch64: pcre-8.42-6.el8.aarch64.rpm pcre-cpp-8.42-6.el8.aarch64.rpm pcre-cpp-debuginfo-8.42-6.el8.aarch64.rpm pcre-debuginfo-8.42-6.el8.aarch64.rpm pcre-debugsource-8.42-6.el8.aarch64.rpm pcre-devel-8.42-6.el8.aarch64.rpm pcre-tools-debuginfo-8.42-6.el8.aarch64.rpm pcre-utf16-8.42-6.el8.aarch64.rpm pcre-utf16-debuginfo-8.42-6.el8.aarch64.rpm pcre-utf32-8.42-6.el8.aarch64.rpm pcre-utf32-debuginfo-8.42-6.el8.aarch64.rpm ppc64le: pcre-8.42-6.el8.ppc64le.rpm pcre-cpp-8.42-6.el8.ppc64le.rpm pcre-cpp-debuginfo-8.42-6.el8.ppc64le.rpm pcre-debuginfo-8.42-6.el8.ppc64le.rpm pcre-debugsource-8.42-6.el8.ppc64le.rpm pcre-devel-8.42-6.el8.ppc64le.rpm pcre-tools-debuginfo-8.42-6.el8.ppc64le.rpm pcre-utf16-8.42-6.el8.ppc64le.rpm pcre-utf16-debuginfo-8.42-6.el8.ppc64le.rpm pcre-utf32-8.42-6.el8.ppc64le.rpm pcre-utf32-debuginfo-8.42-6.el8.ppc64le.rpm s390x: pcre-8.42-6.el8.s390x.rpm pcre-cpp-8.42-6.el8.s390x.rpm pcre-cpp-debuginfo-8.42-6.el8.s390x.rpm pcre-debuginfo-8.42-6.el8.s390x.rpm pcre-debugsource-8.42-6.el8.s390x.rpm pcre-devel-8.42-6.el8.s390x.rpm pcre-tools-debuginfo-8.42-6.el8.s390x.rpm pcre-utf16-8.42-6.el8.s390x.rpm pcre-utf16-debuginfo-8.42-6.el8.s390x.rpm pcre-utf32-8.42-6.el8.s390x.rpm pcre-utf32-debuginfo-8.42-6.el8.s390x.rpm x86_64: pcre-8.42-6.el8.i686.rpm pcre-8.42-6.el8.x86_64.rpm pcre-cpp-8.42-6.el8.i686.rpm pcre-cpp-8.42-6.el8.x86_64.rpm pcre-cpp-debuginfo-8.42-6.el8.i686.rpm pcre-cpp-debuginfo-8.42-6.el8.x86_64.rpm pcre-debuginfo-8.42-6.el8.i686.rpm pcre-debuginfo-8.42-6.el8.x86_64.rpm pcre-debugsource-8.42-6.el8.i686.rpm pcre-debugsource-8.42-6.el8.x86_64.rpm pcre-devel-8.42-6.el8.i686.rpm pcre-devel-8.42-6.el8.x86_64.rpm pcre-tools-debuginfo-8.42-6.el8.i686.rpm pcre-tools-debuginfo-8.42-6.el8.x86_64.rpm pcre-utf16-8.42-6.el8.i686.rpm pcre-utf16-8.42-6.el8.x86_64.rpm pcre-utf16-debuginfo-8.42-6.el8.i686.rpm pcre-utf16-debuginfo-8.42-6.el8.x86_64.rpm pcre-utf32-8.42-6.el8.i686.rpm pcre-utf32-8.42-6.el8.x86_64.rpm pcre-utf32-debuginfo-8.42-6.el8.i686.rpm pcre-utf32-debuginfo-8.42-6.el8.x86_64.rpm Red Hat Enterprise Linux CRB (v. 8): aarch64: pcre-cpp-debuginfo-8.42-6.el8.aarch64.rpm pcre-debuginfo-8.42-6.el8.aarch64.rpm pcre-debugsource-8.42-6.el8.aarch64.rpm pcre-static-8.42-6.el8.aarch64.rpm pcre-tools-debuginfo-8.42-6.el8.aarch64.rpm pcre-utf16-debuginfo-8.42-6.el8.aarch64.rpm pcre-utf32-debuginfo-8.42-6.el8.aarch64.rpm ppc64le: pcre-cpp-debuginfo-8.42-6.el8.ppc64le.rpm pcre-debuginfo-8.42-6.el8.ppc64le.rpm pcre-debugsource-8.42-6.el8.ppc64le.rpm pcre-static-8.42-6.el8.ppc64le.rpm pcre-tools-debuginfo-8.42-6.el8.ppc64le.rpm pcre-utf16-debuginfo-8.42-6.el8.ppc64le.rpm pcre-utf32-debuginfo-8.42-6.el8.ppc64le.rpm s390x: pcre-cpp-debuginfo-8.42-6.el8.s390x.rpm pcre-debuginfo-8.42-6.el8.s390x.rpm pcre-debugsource-8.42-6.el8.s390x.rpm pcre-static-8.42-6.el8.s390x.rpm pcre-tools-debuginfo-8.42-6.el8.s390x.rpm pcre-utf16-debuginfo-8.42-6.el8.s390x.rpm pcre-utf32-debuginfo-8.42-6.el8.s390x.rpm x86_64: pcre-cpp-debuginfo-8.42-6.el8.i686.rpm pcre-cpp-debuginfo-8.42-6.el8.x86_64.rpm pcre-debuginfo-8.42-6.el8.i686.rpm pcre-debuginfo-8.42-6.el8.x86_64.rpm pcre-debugsource-8.42-6.el8.i686.rpm pcre-debugsource-8.42-6.el8.x86_64.rpm pcre-static-8.42-6.el8.i686.rpm pcre-static-8.42-6.el8.x86_64.rpm pcre-tools-debuginfo-8.42-6.el8.i686.rpm pcre-tools-debuginfo-8.42-6.el8.x86_64.rpm pcre-utf16-debuginfo-8.42-6.el8.i686.rpm pcre-utf16-debuginfo-8.42-6.el8.x86_64.rpm pcre-utf32-debuginfo-8.42-6.el8.i686.rpm pcre-utf32-debuginfo-8.42-6.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-20838 https://access.redhat.com/security/cve/CVE-2020-14155 https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.5_release_notes/ 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYYrcdNzjgjWX9erEAQgdyQ//XAuG8KcO4FdYe2I6q9tw6IVmYvzSgx5M qfoCy5NXZjw7mMZnoNhpDb7EIwHXpEuscSfn29LjPpEeAo2oJkBCOdkTzhuaiH4w c2yy2gu1W2RQ9gbKu16qBjIGNsAb/uvMujgPgA32sLtvlBy1EXGD3IslpQx/pyjZ PhKnxvt41RhmbzePHBJCDUtZNviy19TZVIR2YcrsYZ0B3k5SZ4IiEcX9YMgVU3z2 Xnh2uFscv29O6oTn8uQ54NhrDs1PA/cH5rjnzQxsO7+P+uwKTqCqM1lmMbnK5vkS FbRgIAJp+8RUUqHPXCwCC61ScgqW2Mn6IWn2yind3isYZAofQhaO3EdSPuiyFsGy zvpeKTGvh9uUnaPCpJMMzzHIIMix10AZBfP0gZYmpaTI2vk2gnpMWtpu/sSStlPk 95mXAygms+yyq1x0KxVOCMS8FONaFCZXs5cuGaj3Tviy0sM0JnVKyIUE/P44ETcT mqC5RA7cQn4MTfjmG87ub73Vc+xhjM5luZkf4uF5j5eMnECnD4qVOZCHhYwW9ess iiVsQ1lkT2iZVfcHEnqzOTvgFJRXwsdiBhESTgNb+JfPO3wnvtpukqcdqk6ALur/ cXvCOK+FCPrVauoBtKmcBBw7q7i0ixe9XW0O+AUqOD99xDWdqDUjoZd9RTVpTaTG Kk1mDB29RxQ= =gdqn - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYYtIj+NLKJtyKPYoAQj3jg//WCJDtxE+7x8oqIc4Nq859uL+EoEwiL8P GOLanbSxIspkINBess3XzGkVs2s0vAXAIkFgFAEH8lw4SqBF9Je0y82nXaJileeY KcT5gv9vFxEVSyYPCQl3g8IKYaFfmKuVk1pcawWU2clji8xUciw01eG3JZGzl6qn cOkQyYl3R4rVXnr8mWMfKYlwgmO/F3whYB3hdI5Hsy9iXQ9y7ya8sDgSTjVrfCZT b1U6qNwz8AfWw5gv+q/eGUngDF3gfo0r3uNLzbu9nkfVUB+3ruM3V9wVie1AI/Jg CPLe0itdNDtJGM3TQJFBPFpC/zfRZOQptyKPNi5QjHnQlczj9EAzGnT/hlskYcw2 aJ/NTlioggDbxKXHDoPvwgoocAmF+pV0dAfM14YghwKjKx4AiT+WM+LNubm9I9iQ zO3EOQWTRtct8tsCEvD5BJf1WRVmb7eP9aXNuDvcubbNGYfyLGwCRQJUSRS1i1nd S3Rm0x2P2nOn51eqAkZsdQOGV+fYvI0fE21GfGarHckKKBTmsYTWv6fd8X4ZrqZ/ SgU7kI+TybMcRGbeBJa5A+hfpJlUMM4LM0EOGpyJrCbwpx8L7HLrbthVq1t3fxYI tu3AHj+YREMh+l+SpK88qOvc/V205KQ/tQyAkVBOI7ea1S0pkKk2BNdKsU42l+To uMPTGw+eAug= =bzbY -----END PGP SIGNATURE-----