| Name | CVE-2020-5243 |
| Description | uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings. This has been patched in uap-core 0.7.3. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 952649 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| uap-core (PTS) | buster | 20190213-2 | vulnerable |
| bullseye | 1:0.12.0-1 | fixed | |
| bookworm | 1:0.16.0-1 | fixed | |
| sid, trixie | 1:0.18.0-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| uap-core | source | (unstable) | 1:0.8.0-1 | 952649 |
[buster] - uap-core <no-dsa> (Minor issue)
https://github.com/ua-parser/uap-core/security/advisories/GHSA-cmcx-xhr8-3w9p
https://github.com/ua-parser/uap-core/commit/a679b131697e7371f0441f4799940779efa2f27e
https://github.com/ua-parser/uap-core/commit/dd279cff09546dbd4174bd05d29c0e90c2cffa7c
https://github.com/ua-parser/uap-core/commit/7d92a383440c9742ec878273c90a4dcf8446f9af
https://github.com/ua-parser/uap-core/commit/e9a1c74dae9ecd4aa6385bd34ef6c7243f89b537