Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-8295

CVE-2015-3210 PCRE vulnerability

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • 10.0(EOL)
    • 10.0.23, 10.1.10
    • OTHER
    • None
    • 10.0.23

    Description

      MDEV-8006 included fixes for CVE-2014-8964 / CVE-2015-2325 / CVE-2015-2326, and that was released in MariaDB 10.0.18. Unfortunately, there is a new PCRE related security issue: CVE-2015-3210

      Attachments

        Issue Links

          is part of

          Task - A task that needs to be done. MDEV-9252 10.0.23 merge

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            cfservices Cloud Foundry Core Services team added a comment - - edited

            Hey, just in case you have a build pipeline for testing, PCRE has distributed an RC1 that likely addresses this CVE: https://lists.exim.org/lurker/message/20150618.164830.bf6e0148.en.html

            Their ChangeLog is here: http://vcs.pcre.org/pcre2/code/trunk/ChangeLog?revision=288&view=markup

            Any chance we can get a forecast of how many days beyond a PCRE final release it might take to see a MariaDB release?

            (We consider this vulnerability fairly urgent.) Thanks!

            cfservices Cloud Foundry Core Services team added a comment - - edited Hey, just in case you have a build pipeline for testing, PCRE has distributed an RC1 that likely addresses this CVE: https://lists.exim.org/lurker/message/20150618.164830.bf6e0148.en.html Their ChangeLog is here: http://vcs.pcre.org/pcre2/code/trunk/ChangeLog?revision=288&view=markup Any chance we can get a forecast of how many days beyond a PCRE final release it might take to see a MariaDB release? (We consider this vulnerability fairly urgent.) Thanks!
            serg Sergei Golubchik added a comment -

            Our release schedule is on the main Jira page: http://mariadb.org/jira
            In short, if new PCRE release will be out today, it'll be in 10.0.21, that is due in a month.

            But we generally build with system pcre and link with libpcre.so dynamically. So it's up to distributions and users to upgrade libprce.so.

            Our binary tarballs use bundled pcre, and then our release schedule applies.

            serg Sergei Golubchik added a comment - Our release schedule is on the main Jira page: http://mariadb.org/jira In short, if new PCRE release will be out today, it'll be in 10.0.21, that is due in a month. But we generally build with system pcre and link with libpcre.so dynamically. So it's up to distributions and users to upgrade libprce.so. Our binary tarballs use bundled pcre, and then our release schedule applies.

            People

              serg Sergei Golubchik
              cfservices Cloud Foundry Core Services team
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.