CVE-2014-9911 — icu - security update

Description

Stack-based buffer overflow in the ures_getByKeyWithFallback function in common/uresbund.cpp in International Components for Unicode (ICU) before 54.1 for C/C++ allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted uloc_getDisplayName call.

How to fix CVE-2014-9911

To remediate CVE-2014-9911, upgrade the affected package to a fixed version below.

—upgrade to 55.1-3 or later
—upgrade to 4.8.1.1-12+deb7u6 or later
—upgrade to 52.1-8+deb8u4 or later

Is CVE-2014-9911 being exploited?

Low — EPSS is 1.8%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 55.1-3
from 0, < 4.8.1.1-12+deb7u6
from 0, < 52.1-8+deb8u4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2014-9911