Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

uap-core: CVE-2018-20164

Related Vulnerabilities: CVE-2018-20164  

Source

Debian Bug report logs - #922717
uap-core: CVE-2018-20164

version graph

Package: src:uap-core; Maintainer for src:uap-core is Edward Betts <edward@4angle.com>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Tue, 19 Feb 2019 20:03:01 UTC

Severity: serious

Tags: security, upstream

Found in version uap-core/20181019-1

Fixed in version uap-core/20190213-1

Done: Edward Betts <edward@4angle.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Edward Betts <edward@4angle.com>:
Bug#922717; Package src:uap-core. (Tue, 19 Feb 2019 20:03:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Edward Betts <edward@4angle.com>. (Tue, 19 Feb 2019 20:03:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: uap-core: CVE-2018-20164
Date: Tue, 19 Feb 2019 21:01:24 +0100
Source: uap-core
Version: 20181019-1
Severity: important
Tags: security upstream

Hi,

The following vulnerability was published for uap-core.

CVE-2018-20164[0]:
| An issue was discovered in regex.yaml (aka regexes.yaml) in UA-Parser
| UAP-Core before 0.6.0. A Regular Expression Denial of Service (ReDoS)
| issue allows remote attackers to overload a server by setting the
| User-Agent header in an HTTP(S) request to a value containing a long
| digit string. (The UAP-Core project contains the vulnerability,
| propagating to all implementations.)

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-20164
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20164
[1] https://www.x41-dsec.de/lab/advisories/x41-2018-009-uaparser/

Regards,
Salvatore

Reply sent to Edward Betts <edward@4angle.com>:
You have taken responsibility. (Tue, 05 Mar 2019 13:39:03 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 05 Mar 2019 13:39:03 GMT) (full text, mbox, link).

Message #10 received at 922717-close@bugs.debian.org (full text, mbox, reply):

From: Edward Betts <edward@4angle.com>
To: 922717-close@bugs.debian.org
Subject: Bug#922717: fixed in uap-core 20190213-1
Date: Tue, 05 Mar 2019 13:34:47 +0000
Source: uap-core
Source-Version: 20190213-1

We believe that the bug you reported is fixed in the latest version of
uap-core, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 922717@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Edward Betts <edward@4angle.com> (supplier of updated uap-core package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 05 Mar 2019 12:29:24 +0000
Source: uap-core
Binary: uap-core
Architecture: source all
Version: 20190213-1
Distribution: unstable
Urgency: high
Maintainer: Edward Betts <edward@4angle.com>
Changed-By: Edward Betts <edward@4angle.com>
Description:
 uap-core   - User Agent Parser core - collection of regular expressions
Closes: 922717
Changes:
 uap-core (20190213-1) unstable; urgency=high
 .
   * New upstream release Closes: #922717
     - CVE-2018-20164: Regular Expression Denial of Service
   * debian/control: update Standards-Version
Checksums-Sha1:
 43339888577f63c321218a4f4231e5b0d45973da 1729 uap-core_20190213-1.dsc
 d036368964f671eed40512bd16929cc71581a3af 578876 uap-core_20190213.orig.tar.xz
 f5e5b5d2bc9fd5e4067937159d41621e0d4801fc 1616 uap-core_20190213-1.debian.tar.xz
 db01c9c88340f06ecc5c4bb99232bceff73f06ae 39444 uap-core_20190213-1_all.deb
 c5ef5dbc4bd3fc68eb21a8935473e3d977bcabfc 5467 uap-core_20190213-1_amd64.buildinfo
Checksums-Sha256:
 301f08b3d1b982c16990e7f008290b3cefaf875040e444de502daebd798930c3 1729 uap-core_20190213-1.dsc
 dc4f1f194c91fdf011b8cfbe1c26cad26cf594814f4efa97415b8ab6262cd9fd 578876 uap-core_20190213.orig.tar.xz
 845866c6c6d71531a6c291ba356ac1709178a7f849d09d0b44b07267d61842c7 1616 uap-core_20190213-1.debian.tar.xz
 497d6afd5087560b6c9f8eb055ad9f1f8aa2799455e95e1a2f1cfabc967d9232 39444 uap-core_20190213-1_all.deb
 7c94318f1895978f4fd18ea7cf0e655b17f118afc36580973fc8012a69d5a250 5467 uap-core_20190213-1_amd64.buildinfo
Files:
 a477ca9d10eeae0aea0f56b0526b394d 1729 web optional uap-core_20190213-1.dsc
 4cc7885854a88982e649911d7195c86c 578876 web optional uap-core_20190213.orig.tar.xz
 eb4d3d8fbacfe9a8f1fbf92b53daf073 1616 web optional uap-core_20190213-1.debian.tar.xz
 c47d74ff906aeccc0c19fdcd3178835d 39444 web optional uap-core_20190213-1_all.deb
 c0afe89815b13ff4e0553f4a44fd4624 5467 web optional uap-core_20190213-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE+4rPp4xyYInDitAmlgWhCYxjuSoFAlx+eB4ACgkQlgWhCYxj
uSr07A/6A0ZjQ1lh4VtB93PDpWeTOBNP0jI/gNL4KGWhBEErlRYgF5wD4CHg18F0
e8w3V3hTOj7XyJYUrC0OCzbLOIxB6BDjvNjOl/W8+rjSj5pedXzj1dhjqCd+Trkw
rzqHtxk/hlgBPNZ1WPXLzh4mgMypBQbmzfaoe5rYsuT81t7DskwOE1+wqCF4n2Z+
zq6yem4LPEOBak8UA/banibYbuvS6kO/GjcRZhORw5JT5lIp4xwQ+xdxToOeuwG+
d8X4Za1q3762iIbs+3FcfVIIDynfqFOqrlznDrpSKb3+YOjAPEyilHDzoh4EX5+h
fKRV8b8rbl5W7FzEMgNTOax4e0RB7lBqjEpjJVT2KBXcYGL8DbkSKNvFzlQ6o0Es
5SxbXu79++KcWy+d8XZ9wjDeZFi/MkdiYhN9CKLYRc2qA9wu4Zq+PLVFX8MnwxXY
ITmcqXyubetVXLoYyb1jyMNxt1fzXeFZcpemPSEm+zM4UHow4lAnYQ2E05A6entG
HVSVgHto8u+ralSHLdtFJ2Terz31PZKlEBBmOyiKwdP+RHR+kolHyXaSUUYuxDjE
f8uqqxMfzKmgwT2XFStdIzSle8G1umWLPhmMvBXVeUNEoPKuF4c7gd68B43v/HCm
o5Sdw3OXiJfm5s3t3FcFKym0RgbfcKH2XF6Rh8FPut9oQWOYxcc=
=s3fB
-----END PGP SIGNATURE-----

Severity set to 'serious' from 'important' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 19 Mar 2019 09:57:05 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 28 Apr 2019 07:27:26 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:10:02 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started