Univention Bugzilla – Full Text Bug Listing |
Summary: | icu: Multiple issues (4.1) | ||
---|---|---|---|
Product: | UCS | Reporter: | Arvid Requate <requate> |
Component: | Security updates | Assignee: | Arvid Requate <requate> |
Status: | CLOSED FIXED | QA Contact: | Felix Botner <botner> |
Severity: | normal | ||
Priority: | P5 | CC: | gohmann, walkenhorst |
Version: | UCS 4.1 | Flags: | requate:
Patch_Available+
|
Target Milestone: | UCS 4.1-4-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | Security Issue | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | Security | |
Max CVSS v3 score: | 8.4 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | ||
Bug Depends on: | |||
Bug Blocks: | 41953 |
Description
Arvid Requate
2016-08-09 22:36:19 CEST
CVE-2015-2632: CVSS v2 base score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) CVE-2015-4844: CVSS v2 base score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-0494: CVSS v2 base score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 4.8.1.1-12+deb7u5: CVE-2016-6293 The uloc_acceptLanguageFromHTTP function in common/uloc.cpp in International Components for Unicode (ICU) through 57.1 for C/C++ does not ensure that there is a '\0' character at the end of a certain temporary array, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a call with a long httpAcceptLanguage argument. Upstream Debian package version 4.8.1.1-12+deb7u6 fixes these issues: * buffer overflow problem in uresbund.c (CVE-2014-9911) * stack-based buffer overflow in the Locale class via a long locale string (CVE-2016-7415) Advisory: icu.yaml OK - 4.8.1.1-12+deb7u6 with - CVE-2015-2632 - CVE-2015-4844 - CVE-2016-0494 - CVE-2016-6293 - CVE-2014-9911 - CVE-2016-7415 OK - update OK - YAML |