Your message dated Fri, 17 Feb 2017 21:04:08 +0000 with message-id <e1cephi-0006c3...@fasolo.debian.org> and subject line Bug#855405: fixed in pcre3 2:8.39-2.1 has caused the Debian Bug report #855405, regarding pcre3: CVE-2017-6004 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 855405: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855405 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: pcre3 Version: 2:8.39-2 Severity: grave Tags: security upstream Justification: user security hole Hi, the following vulnerability was published for pcre3. Filling this for severity grave as RC, think it should be fixed in stretch. Thouch I'm unsure and would tend to mark it as no-dsa for jessie (but need to verify first that the source there is affected as well). CVE-2017-6004[0]: | The compile_bracket_matchingpath function in pcre_jit_compile.c in PCRE | through 8.x before revision 1680 (e.g., the PHP 7.1.1 bundled version) | allows remote attackers to cause a denial of service (out-of-bounds | read and application crash) via a crafted regular expression. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-6004 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6004 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: pcre3 Source-Version: 2:8.39-2.1 We believe that the bug you reported is fixed in the latest version of pcre3, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 855...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated pcre3 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 17 Feb 2017 15:56:09 +0100 Source: pcre3 Binary: libpcre3 libpcre3-udeb libpcrecpp0v5 libpcre3-dev libpcre3-dbg pcregrep libpcre16-3 libpcre32-3 Architecture: source Version: 2:8.39-2.1 Distribution: unstable Urgency: high Maintainer: Matthew Vernon <matt...@debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 855405 Description: libpcre16-3 - Old Perl 5 Compatible Regular Expression Library - 16 bit runtime libpcre3 - Old Perl 5 Compatible Regular Expression Library - runtime files libpcre3-dbg - Old Perl 5 Compatible Regular Expression Library - debug symbols libpcre3-dev - Old Perl 5 Compatible Regular Expression Library - development fi libpcre3-udeb - Old Perl 5 Compatible Regular Expression Library - runtime files (udeb) libpcre32-3 - Old Perl 5 Compatible Regular Expression Library - 32 bit runtime libpcrecpp0v5 - Old Perl 5 Compatible Regular Expression Library - C++ runtime fi pcregrep - grep utility that uses perl 5 compatible regexes. Changes: pcre3 (2:8.39-2.1) unstable; urgency=high . * Non-maintainer upload. * CVE-2017-6004: crafted regular expression may cause denial of service (Closes: #855405) Checksums-Sha1: 4d56aa8a256e907949cb604f92ce390e34da8d8a 2246 pcre3_8.39-2.1.dsc 45b871e703681f7d0e34095bde6599ae693670c3 24570 pcre3_8.39-2.1.debian.tar.gz Checksums-Sha256: 2a9a8af830285b2f1311833f9a050ab77f69d29b7f33eb1e790aa2c97a018aea 2246 pcre3_8.39-2.1.dsc 9ca3b9c67a2aeee288dd5dec25416ffd297a73f0a00f993e7b30218cc6c14b49 24570 pcre3_8.39-2.1.debian.tar.gz Files: 8f17c13924863636a5b9e539d69302ae 2246 libs optional pcre3_8.39-2.1.dsc c25c097ba40b474f871fabcf0236613a 24570 libs optional pcre3_8.39-2.1.debian.tar.gz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlinWZhfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EXrMP/1O7lnQ80oW99FrbWYqX9oEuSceAahpn cvZ0rr/y5Us49MUmBT1F5OYB/75/DktJfJEvUuIOF7EIgRGHKmiRodqHAa8GFYWo TRDlpjAwBiA9wjxSQFIQy94Hslox6dUp45Mwg+MGmPY5nfRrMpY0yYT3ORF3s+Nn HO1JIbk7NCIE5TlamPnAcp81oa+xF3T6Gt95HfAPWu96hh7zjXULqT2iYMTcK+B+ buEKhkkijN1Go5DJppifN4g5uNZcMUwilr7gv7yYaquH5/ZaUoAu488UIMDVV/rx Bm6oow044MZzqWqLrE0VgQ855gbqFgJPRdT7CPGFoBhylAaz4T9foB45KyPQZEJI bbA/IMGKP6cc7rpORIHYE00m4PlfwTcN0WW9L2EHpcYrJnCsIN6NWECEvsmuFtNz 4oQQiW4HYVTZ1Hdo2hrrJU/8ohVfoEhrfucao4TcsQSVFJVWzSZKYBsu+duH9z+r bYglzdzeqLlUenBW56R3947bujqJYDWdP9F5wel/jiQ/NkVj/n0y7tlV7OT/P/pX E7sPSTf6TFZge5gibPTJ4o52ArMhiOTRthoCt/4K1CSMDZPwX5wgG1eyhqq1oGRa 4OStxiO1NBJ5i/sAZ/TTDYf/tLUZAGzp6Uwe0Zy8B9OIqcMr5YG95wPmu/kNnyho ReyXPSESs/Re =3ZEP -----END PGP SIGNATURE-----
--- End Message ---
