PCRE vuln CVE-2006-7225 applies to the bundled PCRE v5 in 2.2.x and trunk.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7225
PCRE 6.7 ChangeLog:
18. A valid (though odd) pattern that looked like a POSIX character
class but used an invalid character after [ (for example [[,abc,]]) caused
pcre_compile() to give the error "Failed: internal error: code overflow" or
in some cases to crash with a glibc free() error. This could even happen if
the pattern terminated after [[ but there just happened to be a sequence of
letters, a binary zero, and a closing ] in the memory that followed.
Based on the type of malformed expressions that trigger the bug, I
think it's extremely unlikely that an _httpd_ administrator would
stumble upon an affected expression, but it is a straightforward fix.
IMO while this puts it into the class of issues that require untrusted
users modifying the configuration, it does carry a small asterisk
because a trusted user could conceivably stumble upon it by accident
(and end up with memory corruption or crash instead of an unmatchable
RewriteRule)
--
Eric Covener
[EMAIL PROTECTED]
trunk-pcre-CVE-2006-7225
Description: Binary data
