Detections
Analytics

Debian dla-3363 : libpcre2-16-0 - security update

critical Nessus Plugin ID 172599

Language:

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3363 advisory.

 ------------------------------------------------------------------------- Debian LTS Advisory DLA-3363-1 [email protected] https://www.debian.org/lts/security/ Guilhem Moulin March 16, 2023 https://wiki.debian.org/LTS
 -------------------------------------------------------------------------

 Package : pcre2 Version : 10.32-5+deb10u1 CVE ID : CVE-2019-20454 CVE-2022-1586 CVE-2022-1587 Debian Bug : 1011954

 Multiple out-of-bounds read vulnerabilities were found in pcre2, a Perl Compatible Regular Expression library, which could result in information disclosure or denial or service.

 CVE-2019-20454

 Out-of-bounds read when the pattern \X is JIT compiled and used to match specially crafted subjects in non-UTF mode.

 CVE-2022-1586

 Out-of-bounds read involving unicode property matching in JIT-compiled regular expressions. The issue occurs because the character was not fully read in case-less matching within JIT.

 CVE-2022-1587

 Out-of-bounds read affecting recursions in JIT-compiled regular expressions caused by duplicate data transfers.

 This upload also fixes a subject buffer overread in JIT when UTF is disabled and \X or \R has a greater than 1 fixed quantifier. This issue was found by Yunho Kim.

 For Debian 10 buster, these problems have been fixed in version 10.32-5+deb10u1.

 We recommend that you upgrade your pcre2 packages.

 For the detailed security status of pcre2 please refer to its security tracker page at:
 https://security-tracker.debian.org/tracker/pcre2

 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS Attachment:
 signature.asc Description: PGP signature

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the libpcre2-16-0 packages.

See Also

https://security-tracker.debian.org/tracker/source-package/pcre2

https://security-tracker.debian.org/tracker/CVE-2019-20454

https://security-tracker.debian.org/tracker/CVE-2022-1586

https://security-tracker.debian.org/tracker/CVE-2022-1587

https://packages.debian.org/source/buster/pcre2

Plugin Details

Severity: Critical

ID: 172599

File Name: debian_DLA-3363.nasl

Version: 1.2

Type: local

Agent: unix

Published: 3/16/2023

Updated: 1/22/2025

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.0

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P

CVSS Score Source: CVE-2022-1587

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:libpcre2-8-0, cpe:/o:debian:debian_linux:10.0, p-cpe:/a:debian:debian_linux:libpcre2-posix0, p-cpe:/a:debian:debian_linux:libpcre2-dbg, p-cpe:/a:debian:debian_linux:libpcre2-32-0, p-cpe:/a:debian:debian_linux:pcre2-utils, p-cpe:/a:debian:debian_linux:libpcre2-16-0, p-cpe:/a:debian:debian_linux:libpcre2-dev

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/16/2023

Vulnerability Publication Date: 2/14/2020

Reference Information

CVE: CVE-2019-20454, CVE-2022-1586, CVE-2022-1587