Source: pcre3 Version: 2:8.39-2 Severity: grave Tags: security upstream Justification: user security hole
Hi, the following vulnerability was published for pcre3. Filling this for severity grave as RC, think it should be fixed in stretch. Thouch I'm unsure and would tend to mark it as no-dsa for jessie (but need to verify first that the source there is affected as well). CVE-2017-6004[0]: | The compile_bracket_matchingpath function in pcre_jit_compile.c in PCRE | through 8.x before revision 1680 (e.g., the PHP 7.1.1 bundled version) | allows remote attackers to cause a denial of service (out-of-bounds | read and application crash) via a crafted regular expression. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-6004 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6004 Please adjust the affected versions in the BTS as needed. Regards, Salvatore