An update for pcre2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2022-1686 Final 1.0 1.0 2022-06-02 Initial 2022-06-02 2022-06-02 openEuler SA Tool V1.0 2022-06-02 pcre2 security update An update for pcre2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS. PCRE2 is a re-working of the original PCRE1 library to provide an entirely new API. Since its initial release in 2015, there has been further development of the code and it now differs from PCRE1 in more than just the API. PCRE2 is written in C, and it has its own API. There are three sets of functions, one for the 8-bit library, which processes strings of bytes, one for the 16-bit library, which processes strings of 16-bit values, and one for the 32-bit library, which processes strings of 32-bit values. Unlike PCRE1, there are no C++ wrappers. Security Fix(es): An out-of-bounds read vulnerability was discovered in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c file. This involves a unicode property matching issue in JIT-compiled regular expressions. The issue occurs because the character was not fully read in case-less matching within JIT.(CVE-2022-1586) An out-of-bounds read vulnerability was discovered in the PCRE2 library in the get_recurse_data_length() function of the pcre2_jit_compile.c file. This issue affects recursions in JIT-compiled regular expressions caused by duplicate data transfers.(CVE-2022-1587) An update for pcre2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS. openEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Critical pcre2 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1686 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-1586 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-1587 https://nvd.nist.gov/vuln/detail/CVE-2022-1586 https://nvd.nist.gov/vuln/detail/CVE-2022-1587 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS pcre2-10.35-2.oe1.aarch64.rpm pcre2-devel-10.35-2.oe1.aarch64.rpm pcre2-debugsource-10.35-2.oe1.aarch64.rpm pcre2-debuginfo-10.35-2.oe1.aarch64.rpm pcre2-debuginfo-10.35-2.oe1.aarch64.rpm pcre2-debugsource-10.35-2.oe1.aarch64.rpm pcre2-devel-10.35-2.oe1.aarch64.rpm pcre2-10.35-2.oe1.aarch64.rpm pcre2-debuginfo-10.39-2.oe2203.aarch64.rpm pcre2-debugsource-10.39-2.oe2203.aarch64.rpm pcre2-10.39-2.oe2203.aarch64.rpm pcre2-devel-10.39-2.oe2203.aarch64.rpm pcre2-help-10.35-2.oe1.noarch.rpm pcre2-help-10.35-2.oe1.noarch.rpm pcre2-help-10.39-2.oe2203.noarch.rpm pcre2-10.35-2.oe1.src.rpm pcre2-10.35-2.oe1.src.rpm pcre2-10.39-2.oe2203.src.rpm pcre2-10.35-2.oe1.x86_64.rpm pcre2-debuginfo-10.35-2.oe1.x86_64.rpm pcre2-devel-10.35-2.oe1.x86_64.rpm pcre2-debugsource-10.35-2.oe1.x86_64.rpm pcre2-debugsource-10.35-2.oe1.x86_64.rpm pcre2-10.35-2.oe1.x86_64.rpm pcre2-devel-10.35-2.oe1.x86_64.rpm pcre2-debuginfo-10.35-2.oe1.x86_64.rpm pcre2-10.39-2.oe2203.x86_64.rpm pcre2-devel-10.39-2.oe2203.x86_64.rpm pcre2-debugsource-10.39-2.oe2203.x86_64.rpm pcre2-debuginfo-10.39-2.oe2203.x86_64.rpm An out-of-bounds read vulnerability was discovered in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c file. This involves a unicode property matching issue in JIT-compiled regular expressions. The issue occurs because the character was not fully read in case-less matching within JIT. 2022-06-02 CVE-2022-1586 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS Critical 9.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H pcre2 security update 2022-06-02 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1686 An out-of-bounds read vulnerability was discovered in the PCRE2 library in the get_recurse_data_length() function of the pcre2_jit_compile.c file. This issue affects recursions in JIT-compiled regular expressions caused by duplicate data transfers. 2022-06-02 CVE-2022-1587 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS Critical 9.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H pcre2 security update 2022-06-02 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1686