[Secure-testing-team] Bug#855405: pcre3: CVE-2017-6004
Salvatore Bonaccorso
carnil at debian.org
Fri Feb 17 14:33:37 UTC 2017
Source: pcre3
Version: 2:8.39-2
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
the following vulnerability was published for pcre3. Filling this for
severity grave as RC, think it should be fixed in stretch. Thouch I'm
unsure and would tend to mark it as no-dsa for jessie (but need to
verify first that the source there is affected as well).
CVE-2017-6004[0]:
| The compile_bracket_matchingpath function in pcre_jit_compile.c in PCRE
| through 8.x before revision 1680 (e.g., the PHP 7.1.1 bundled version)
| allows remote attackers to cause a denial of service (out-of-bounds
| read and application crash) via a crafted regular expression.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-6004
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6004
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Secure-testing-team
mailing list