Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 12 Apr 2023 12:07:02 +0100
From: Matthew Vernon <matthew@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2017-11164 - stack exhaustion in PCRE

On 11/04/2023 12:22, Sevan Janiyan wrote:

> "PCRE1 has become totally obsolete and is no longer maintained. The
> final release was 8.45 (June 2021)"
> 
> So just a heads up if you're still linking against PCRE 8.x but software
> in question supports PCRE2, perhaps it's time to switch and default to
> PCRE2.

I've been trying to push towards getting old-PCRE out of Debian; you can 
track the outstanding bugs online[0], and there's similar for Ubuntu[1].

Once the next Debian release "bookworm" is out, I'm hoping to be able to 
make the outstanding bugs release critical, moving towards not shipping 
the older pcre (called pcre3 in Debian for Historical Reasons) in the 
next release...

Regards,

Matthew
[PCRE maintainer for Debian]

[0] 
https://udd.debian.org/bugs/?release=any&merged=ign&fnewerval=7&flastmodval=7&fusertag=only&fusertagtag=obsolete-pcre3&fusertaguser=matthew-pcredep%40debian.org&allbugs=1&sortby=id&sorto=asc&format=html#results
[1] https://bugs.launchpad.net/ubuntu/+source/pcre3/+bug/1792544

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.