Debian DSA-3187-1 : icu - security update

critical Nessus Plugin ID 81831

Language:

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it is different from CVSS.

VPR Score: 6

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities were discovered in the International Components for Unicode (ICU) library.

 - CVE-2013-1569 Glyph table issue.

 - CVE-2013-2383 Glyph table issue.

 - CVE-2013-2384 Font layout issue.

 - CVE-2013-2419 Font processing issue.

 - CVE-2014-6585 Out-of-bounds read.

 - CVE-2014-6591 Additional out-of-bounds reads.

 - CVE-2014-7923 Memory corruption in regular expression comparison.

 - CVE-2014-7926 Memory corruption in regular expression comparison.

 - CVE-2014-7940 Uninitialized memory.

 - CVE-2014-9654 More regular expression flaws.

Solution

Upgrade the icu packages.

For the stable distribution (wheezy), these problems have been fixed in version 4.8.1.1-12+deb7u2.

For the upcoming stable (jessie) and unstable (sid) distributions, these problems have been fixed in version 52.1-7.1.

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775884

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776264

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776265

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776719

https://security-tracker.debian.org/tracker/CVE-2013-1569

https://security-tracker.debian.org/tracker/CVE-2013-2383

https://security-tracker.debian.org/tracker/CVE-2013-2384

https://security-tracker.debian.org/tracker/CVE-2013-2419

https://security-tracker.debian.org/tracker/CVE-2014-6585

https://security-tracker.debian.org/tracker/CVE-2014-6591

https://security-tracker.debian.org/tracker/CVE-2014-7923

https://security-tracker.debian.org/tracker/CVE-2014-7926

https://security-tracker.debian.org/tracker/CVE-2014-7940

https://security-tracker.debian.org/tracker/CVE-2014-9654

https://packages.debian.org/source/wheezy/icu

https://www.debian.org/security/2015/dsa-3187

Plugin Details

Severity: Critical

ID: 81831

File Name: debian_DSA-3187.nasl

Version: 1.18

Type: local

Agent: unix

Published: 3/17/2015

Updated: 1/11/2021

Dependencies: ssh_get_info.nasl

Risk Information

Risk Factor: Critical

VPR Score: 6

CVSS v2.0

Base Score: 10

Temporal Score: 7.8

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: E:POC/RL:OF/RC:C

CVSS v3.0

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:icu, cpe:/o:debian:debian_linux:7.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/15/2015

Reference Information

CVE: CVE-2013-1569, CVE-2013-2383, CVE-2013-2384, CVE-2013-2419, CVE-2014-6585, CVE-2014-6591, CVE-2014-7923, CVE-2014-7926, CVE-2014-7940, CVE-2014-9654

BID: 59131, 59166, 59179, 59190, 72173, 72175

DSA: 3187