https://bugzilla.mindrot.org/show_bug.cgi?id=3419
--- Comment #4 from Christoph Anton Mitterer <[email protected]> --- (1) yes, though some (I'd say especially PCRE) have become like de facto standards. (2) At least all major Linuxes (I've checked Debian, Fedora, Arch, OpenSUSE, Ubuntu, Alpine, Rocky, CentOS, CentOS Stream and Cygwin) have their grep depend on libpcre2, so I'd be tempted to says that effectively it's like a system lib. But I guess the BSDs don't. (3) For pcre2 I find 11 CVEs since 2015, which is considerably less than what e.g. OpenSSH itself has (which is of course not meant as an insult, but rather to put numbers into perspective). I did however not check how serious all of these were. I would however even intuitively guess, that e.g. for grep (which is used in gazillions of scripts), security issues in pcre would be far more problematic than for ssh, where we'd probably ever only match against hostnames and usernames, which could be checked for the few valid characters before even running pcre on them. Aynway,... was just an idea which I've thought would make maintaining complex sshd?_configs much simpler. Cheers, Chris :-) -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
