package: src:pcre2
version: 10.45-1
tags: security upstream trixie forky
PCRE upstream released 10.46 yesterday to fix CVE-2025-58050 -
https://github.com/PCRE2Project/pcre2/releases/tag/pcre2-10.46
Quoting the release note:
"
This is a security-only release, to address CVE-2025-58050.
Compared to 10.45, this release has only a minimal code change to
prevent a read-past-the-end memory error, of arbitrary length. An
attacker-controlled regex pattern is required, and it cannot be
triggered by providing crafted subject (match) text. The (*ACCEPT) and
(*scs:) pattern features must be used together.
Release 10.44 and earlier are not affected.
This could have implications of denial-of-service or information
disclosure, and could potentially be used to escalate other
vulnerabilities in a system (such as information disclosure being used
to escalate the severity of an unrelated bug in another system).
"
So trixie (10.45-1) and forky/unstable are vulnerable, but not older
releases.
Regards,
Matthew
