[MDEV-8295] CVE-2015-3210 PCRE vulnerability Created: 2015-06-10  Updated: 2015-12-14  Resolved: 2015-12-14

Status: Closed
Project: MariaDB Server
Component/s: OTHER
Affects Version/s: 10.0
Fix Version/s: 10.0.23, 10.1.10

Type: Bug Priority: Major
Reporter: Cloud Foundry Core Services team Assignee: Sergei Golubchik
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
PartOf
is part of MDEV-9252 10.0.23 merge Closed
Sprint: 10.0.23

 Description   

MDEV-8006 included fixes for CVE-2014-8964 / CVE-2015-2325 / CVE-2015-2326, and that was released in MariaDB 10.0.18. Unfortunately, there is a new PCRE related security issue: CVE-2015-3210



 Comments   
Comment by Cloud Foundry Core Services team [ 2015-06-18 ]

Hey, just in case you have a build pipeline for testing, PCRE has distributed an RC1 that likely addresses this CVE: https://lists.exim.org/lurker/message/20150618.164830.bf6e0148.en.html

Their ChangeLog is here: http://vcs.pcre.org/pcre2/code/trunk/ChangeLog?revision=288&view=markup

Any chance we can get a forecast of how many days beyond a PCRE final release it might take to see a MariaDB release?

(We consider this vulnerability fairly urgent.) Thanks!

Comment by Sergei Golubchik [ 2015-06-18 ]

Our release schedule is on the main Jira page: http://mariadb.org/jira
In short, if new PCRE release will be out today, it'll be in 10.0.21, that is due in a month.

But we generally build with system pcre and link with libpcre.so dynamically. So it's up to distributions and users to upgrade libprce.so.

Our binary tarballs use bundled pcre, and then our release schedule applies.

Generated at Thu Feb 08 07:26:04 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.