ELA-143-1 libonig security update


Related CVEs CVE-2019-13224

A use-after-free in onig_new_deluxe() in regext.c allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe().

For Debian 7 Wheezy, these problems have been fixed in version 5.9.1-1+deb7u2.

We recommend that you upgrade your libonig packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.