Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
debianDebianDEBIAN:DLA-2431-1:6BC5D
HistoryNov 05, 2020 - 1:29 a.m.

[SECURITY][DLA 2431-1] libonig security update

2020-11-0501:29:26
lists.debian.org
46
debian 9 stretch
libonig
security update
multiple vulnerabilities

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

10

Confidence

High

EPSS

0.014

Percentile

86.8%

JSON

Debian LTS Advisory DLA-2431-1 [email protected]
https://www.debian.org/lts/security/ Markus Koschany
November 05, 2020 https://wiki.debian.org/LTS

Package : libonig
Version : 6.1.3-2+deb9u1
CVE ID : CVE-2019-13224 CVE-2019-16163 CVE-2019-19012
CVE-2019-19203 CVE-2019-19204 CVE-2019-19246
CVE-2020-26159
Debian Bug : 931878 939988 944959 945312 945313 946344 972113

Several vulnerabilities were discovered in the Oniguruma regular
expressions library, notably used in PHP mbstring.

CVE-2019-13224

A use-after-free in onig_new_deluxe() in regext.c allows
attackers to potentially cause information disclosure, denial of
service, or possibly code execution by providing a crafted regular
expression. The attacker provides a pair of a regex pattern and a
string, with a multi-byte encoding that gets handled by
onig_new_deluxe().

CVE-2019-16163

Oniguruma allows Stack Exhaustion in regcomp.c because of recursion
in regparse.c.

CVE-2019-19012

An integer overflow in the search_in_range function in regexec.c in
Onigurama leads to an out-of-bounds read, in which the offset of
this read is under the control of an attacker. (This only affects
the 32-bit compiled version). Remote attackers can cause a
denial-of-service or information disclosure, or possibly have
unspecified other impact, via a crafted regular expression.

CVE-2019-19203

An issue was discovered in Oniguruma. In the function
gb18030_mbc_enc_len in file gb18030.c, a UChar pointer is
dereferenced without checking if it passed the end of the matched
string. This leads to a heap-based buffer over-read.

CVE-2019-19204

An issue was discovered in Oniguruma. In the function
fetch_interval_quantifier (formerly known as fetch_range_quantifier)
in regparse.c, PFETCH is called without checking PEND. This leads to
a heap-based buffer over-read.

CVE-2019-19246

Oniguruma has a heap-based buffer over-read in str_lower_case_match
in regexec.c.

CVE-2020-26159

In Oniguruma an attacker able to supply a regular expression for
compilation may be able to overflow a buffer by one byte in
concat_opt_exact_str in src/regcomp.c

For Debian 9 stretch, these problems have been fixed in version
6.1.3-2+deb9u1.

We recommend that you upgrade your libonig packages.

For the detailed security status of libonig please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libonig

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian8amd64libonig2< 5.9.5-3.2+deb8u4libonig2_5.9.5-3.2+deb8u4_amd64.deb
Debian8armhflibonig2-dbg< 5.9.5-3.2+deb8u4libonig2-dbg_5.9.5-3.2+deb8u4_armhf.deb
Debian9i386libonig-dev< 6.1.3-2+deb9u1libonig-dev_6.1.3-2+deb9u1_i386.deb
Debian8i386libonig2-dbg< 5.9.5-3.2+deb8u4libonig2-dbg_5.9.5-3.2+deb8u4_i386.deb
Debian9arm64libonig4< 6.1.3-2+deb9u1libonig4_6.1.3-2+deb9u1_arm64.deb
Debian9armellibonig4< 6.1.3-2+deb9u1libonig4_6.1.3-2+deb9u1_armel.deb
Debian9arm64libonig4-dbg< 6.1.3-2+deb9u1libonig4-dbg_6.1.3-2+deb9u1_arm64.deb
Debian9arm64libonig-dev< 6.1.3-2+deb9u1libonig-dev_6.1.3-2+deb9u1_arm64.deb
Debian8armellibonig2< 5.9.5-3.2+deb8u4libonig2_5.9.5-3.2+deb8u4_armel.deb
Debian9i386libonig4-dbg< 6.1.3-2+deb9u1libonig4-dbg_6.1.3-2+deb9u1_i386.deb
Rows per page:
1-10 of 291

Related

openvas 30
suse 1
osv 17
nessus 46
almalinux 2
redhat 6
oraclelinux 2
ubuntu 3
fedora 8
mageia 2
amazon 3
debian 4
altlinux 1
photon 4
prion 7
githubexploit 6
ubuntucve 6
alpinelinux 5
cvelist 7
cve 7
nvd 7
redhatcve 7
veracode 5
debiancve 6
f5 1
thn 1
cbl_mariner 1
rocky 1
gentoo 1
ibm 1
freebsd 1
openvas
openvas
Debian: Security Advisory (DLA-2431-1)
2020-11-05 00:00:00
openSUSE: Security Advisory for oniguruma (SUSE-SU-2022:3327-1)
2022-09-22 00:00:00
SUSE: Security Advisory (SUSE-SU-2022:3327-1)
2022-09-22 00:00:00
suse
suse
Security update for oniguruma (important)
2022-09-21 00:00:00
osv
osv
libonig - security update
2020-11-03 00:00:00
Moderate: oniguruma security update
2024-02-20 00:00:00
libonig vulnerabilities
2022-10-10 05:11:49
nessus
nessus
SUSE SLED15 / SLES15 Security Update : oniguruma (SUSE-SU-2022:3327-1)
2022-09-22 00:00:00
Ubuntu 16.04 ESM / 18.04 ESM : Oniguruma vulnerabilities (USN-5662-1)
2023-10-16 00:00:00
AlmaLinux 8 : oniguruma (ALSA-2024:0889)
2024-02-22 00:00:00
almalinux
almalinux
Moderate: oniguruma security update
2024-02-20 00:00:00
Moderate: php:7.3 security, bug fix, and enhancement update
2020-09-08 08:38:31
redhat
redhat
(RHSA-2024:0889) Moderate: oniguruma security update
2024-02-20 11:21:18
(RHSA-2024:0409) Moderate: oniguruma security update
2024-01-24 14:40:20
(RHSA-2024:0572) Moderate: oniguruma security update
2024-01-30 12:53:17
oraclelinux
oraclelinux
oniguruma security update
2024-02-20 00:00:00
php:7.3 security, bug fix, and enhancement update
2020-09-09 00:00:00
ubuntu
ubuntu
Oniguruma vulnerabilities
2022-10-10 00:00:00
Oniguruma vulnerabilities
2020-08-17 00:00:00
PHP vulnerability
2019-08-07 00:00:00
fedora
fedora
[SECURITY] Fedora 30 Update: oniguruma-6.9.2-4.fc30
2019-12-08 01:03:41
[SECURITY] Fedora 31 Update: oniguruma-6.9.4-1.fc31
2019-12-04 01:15:49
[SECURITY] Fedora 30 Update: oniguruma-6.9.2-3.fc30
2019-11-21 00:56:07
mageia
mageia
Updated oniguruma packages fix security vulnerabilities
2020-01-12 02:52:04
Updated oniguruma packages fix security vulnerability
2020-12-08 13:40:32
amazon
amazon
Medium: oniguruma
2020-01-06 23:44:00
Medium: oniguruma
2020-11-09 21:04:00
Medium: oniguruma
2019-09-30 20:59:00
debian
debian
[SECURITY] [DLA 2020-1] libonig security update
2019-12-04 11:43:12
[SECURITY] [DLA 1918-1] libonig security update
2019-09-12 09:48:11
[SECURITY] [DLA 1854-1] libonig security update
2019-07-17 15:25:01
altlinux
altlinux
Security fix for the ALT Linux 8 package oniguruma version 6.9.4-alt1
2019-12-04 00:00:00
photon
photon
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2019-2.0-0196
2019-12-20 00:00:00
Critical Photon OS Security Update - PHSA-2019-0196
2019-09-24 00:00:00
Critical Photon OS Security Update - PHSA-2020-0047
2020-01-16 00:00:00
prion
prion
Integer overflow
2019-11-17 18:15:00
Heap overflow
2019-11-25 17:15:00
Heap overflow
2019-11-21 21:15:00
githubexploit
githubexploit
Exploit for Out-of-bounds Read in Oniguruma Project Oniguruma
2019-11-20 14:32:23
Exploit for Out-of-bounds Read in Oniguruma Project Oniguruma
2019-11-20 10:00:18
Exploit for Out-of-bounds Read in Oniguruma Project Oniguruma
2019-12-24 08:11:11
ubuntucve
ubuntucve
CVE-2019-19012
2019-11-17 00:00:00
CVE-2019-19246
2019-11-25 00:00:00
CVE-2019-19204
2019-11-21 00:00:00
alpinelinux
alpinelinux
CVE-2019-19012
2019-11-17 18:15:00
CVE-2019-19203
2019-11-21 21:15:00
CVE-2019-19204
2019-11-21 21:15:00
cvelist
cvelist
CVE-2019-19012
2019-11-16 15:30:47
CVE-2019-19203
2019-11-21 20:06:59
CVE-2019-19246
2019-11-25 16:16:20
cve
cve
CVE-2019-19012
2019-11-17 18:15:11
CVE-2019-19246
2019-11-25 17:15:11
CVE-2019-16163
2019-09-09 17:15:13
nvd
nvd
CVE-2019-19012
2019-11-17 18:15:11
CVE-2019-19203
2019-11-21 21:15:11
CVE-2019-19246
2019-11-25 17:15:11
redhatcve
redhatcve
CVE-2019-19203
2020-02-12 10:14:22
CVE-2019-19246
2020-03-29 08:05:22
CVE-2019-19012
2020-02-12 09:44:24
veracode
veracode
Buffer Over-read
2020-12-02 09:50:08
Buffer Over-read
2020-12-02 09:50:09
Denial Of Service (DoS)
2020-12-02 09:50:09
debiancve
debiancve
CVE-2019-19246
2019-11-25 17:15:11
CVE-2019-16163
2019-09-09 17:15:13
CVE-2019-19012
2019-11-17 18:15:11
f5
f5
K00103182 : Oniguruma vulnerability CVE-2019-13224
2019-08-23 00:00:00
thn
thn
Multiple Code Execution Flaws Found In PHP Programming Language
2019-09-06 11:12:00
cbl_mariner
cbl_mariner
CVE-2020-26159 affecting package oniguruma 6.9.5-2
2020-11-05 04:21:18
rocky
rocky
php:7.3 security, bug fix, and enhancement update
2020-09-08 08:38:31
gentoo
gentoo
Oniguruma: Multiple vulnerabilities
2019-11-07 00:00:00
ibm
ibm
Security Bulletin: Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak.
2023-01-06 21:25:02
freebsd
freebsd
oniguruma -- multiple vulnerabilities
2019-07-03 00:00:00

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

10

Confidence

High

EPSS

0.014

Percentile

86.8%

JSON
Related for DEBIAN:DLA-2431-1:6BC5D
openvas30suse1osv17nessus46almalinux2redhat6oraclelinux2ubuntu3fedora8mageia2amazon3debian4altlinux1photon4prion7githubexploit6ubuntucve6alpinelinux5cvelist7cve7nvd7redhatcve7veracode5debiancve6f51thn1cbl_mariner1rocky1gentoo1ibm1freebsd1