Debian Package Tracker

general

source: pcre3 (source, libs)
version: 2:8.39-5
maintainer: Matthew Vernon [DMD]
arch: any
std-ver: 3.9.3

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1:8.30-5
oldstable: 2:8.35-3.3+deb8u4
stable: 2:8.39-3
testing: 2:8.39-4
unstable: 2:8.39-5

versioned links

1:8.30-5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2:8.35-3.3+deb8u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2:8.39-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2:8.39-4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2:8.39-5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libpcre16-3
libpcre3
libpcre3-dbg
libpcre3-dev
libpcre3-udeb
libpcre32-3
libpcrecpp0v5
pcregrep

action needed

A new upstream version is available: 8.41

high

A new upstream version 8.41 is available, you should consider packaging it.

Created: 2017-08-12 Last update: 2017-09-22 07:26

Standards version of the package is outdated.

high

The package is severely out of date with respect to the Debian Policy. The package should be updated to follow the last version of Debian Policy (Standards-Version 4.1.0 instead of 3.9.3).

Created: 2014-07-12 Last update: 2017-09-20 07:10

lintian reports 11 warnings

high

Lintian reports 11 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2014-07-03 Last update: 2017-07-24 07:18

Fails to build during reproducibility testing

normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2017-08-26 Last update: 2017-09-22 07:36

5 bugs tagged patch in the BTS

normal

The BTS contains patches fixing 5 bugs, consider including or untagging them.

Created: 2017-08-12 Last update: 2017-09-22 07:11

14 ignored security issues in wheezy

low

There are 14 open security issues in wheezy.

14 issues skipped by the security teams:

CVE-2015-8382: The match function in pcre_exec.c in PCRE before 8.37 mishandles the /(?:((abcd))|(((?:(?:(?:(?:abc|(?:abcdef))))b)abcdefghi)abc)|((*ACCEPT)))/ pattern and related patterns involving (*ACCEPT), which allows remote attackers to obtain sensitive information from process memory or cause a denial of service (partially initialized memory and application crash) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-2547.
CVE-2015-8394: PCRE before 8.38 mishandles the (?(<digits>) and (?(R<digits>) conditions, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.
CVE-2015-8393: pcregrep in PCRE before 8.38 mishandles the -q option for binary files, which might allow remote attackers to obtain sensitive information via a crafted file, as demonstrated by a CGI script that sends stdout data to a client.
CVE-2015-8385: PCRE before 8.38 mishandles the /(?|(\k'Pm')|(?'Pm'))/ pattern and related patterns with certain forward references, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.
CVE-2015-8391: The pcre_compile function in pcre_compile.c in PCRE before 8.38 mishandles certain [: nesting, which allows remote attackers to cause a denial of service (CPU consumption) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.
CVE-2015-8387: PCRE before 8.38 mishandles (?123) subroutine calls and related subroutine calls, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.
CVE-2015-8388: PCRE before 8.38 mishandles the /(?=di(?<=(?1))|(?=(.))))/ pattern and related patterns with an unmatched closing parenthesis, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.
CVE-2015-8390: PCRE before 8.38 mishandles the [: and \\ substrings in character classes, which allows remote attackers to cause a denial of service (uninitialized memory read) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.
CVE-2016-3191: The compile_branch function in pcre_compile.c in PCRE 8.x before 8.39 and pcre2_compile.c in PCRE2 before 10.22 mishandles patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-3542.
CVE-2015-2328: PCRE before 8.36 mishandles the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.
CVE-2015-5073: Heap-based buffer overflow in the find_fixedlength function in pcre_compile.c in PCRE before 8.38 allows remote attackers to cause a denial of service (crash) or obtain sensitive information from heap memory and possibly bypass the ASLR protection mechanism via a crafted regular expression with an excess closing parenthesis.
CVE-2015-2327: PCRE before 8.36 mishandles the /(((a\2)|(a*)\g<-1>))*/ pattern and related patterns with certain internal recursive back references, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.
CVE-2015-3217: PCRE 7.8 and 8.32 through 8.37, and PCRE2 10.10 mishandle group empty matches, which might allow remote attackers to cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by /^(?:(?(1)\\.|([^\\\\W_])?)+)+$/.
CVE-2014-8964: Heap-based buffer overflow in PCRE 8.36 and earlier allows remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats.

Please fix them.

Created: 2015-07-12 Last update: 2017-09-20 07:29

4 ignored security issues in jessie

low

There are 4 open security issues in jessie.

4 issues skipped by the security teams:

TEMP-0827564-93E4E3:
CVE-2017-7186: libpcre1 in PCRE 8.40 and libpcre2 in PCRE2 10.23 allow remote attackers to cause a denial of service (segmentation violation for read access, and application crash) by triggering an invalid Unicode property lookup.
CVE-2015-3217: PCRE 7.8 and 8.32 through 8.37, and PCRE2 10.10 mishandle group empty matches, which might allow remote attackers to cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by /^(?:(?(1)\\.|([^\\\\W_])?)+)+$/.
CVE-2017-7244: The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (invalid memory read) via a crafted file.

Please fix them.

Created: 2015-07-12 Last update: 2017-09-20 07:29

testing migrations

excuses:
- Migration status: BLOCKED: Rejected/introduces a regression (please see below)
- Too young, only 2 of 5 days old
- missing build on s390x: libpcre16-3, libpcre3, libpcre3-dbg, libpcre3-dev, libpcre3-udeb, libpcre32-3, libpcrecpp0v5, pcregrep (from 2:8.39-4)
- pcre3 has new bugs!
- Updating pcre3 introduces new bugs: #876299
- Updating pcre3 fixes old bugs: #853606
- Piuparts tested OK - https://piuparts.debian.org/sid/source/p/pcre3.html
- Not considered

news

[rss feed]

[2017-09-19] Accepted pcre3 2:8.39-5 (i386 source) into unstable (Matthew Vernon)
[2017-08-03] pcre3 2:8.39-4 MIGRATED to testing (Debian testing watch)
[2017-07-23] Accepted pcre3 2:8.39-4 (i386 source) into unstable (Matthew Vernon)
[2017-03-31] pcre3 2:8.39-3 MIGRATED to testing (Debian testing watch)
[2017-03-21] Accepted pcre3 2:8.39-3 (i386 source) into unstable (Matthew Vernon)
[2017-02-28] pcre3 2:8.39-2.1 MIGRATED to testing (Debian testing watch)
[2017-02-17] Accepted pcre3 2:8.39-2.1 (source) into unstable (Salvatore Bonaccorso)
[2016-10-10] Accepted pcre3 2:8.35-3.3+deb8u4~kbsd8u1 (source) into stable-kfreebsd-proposed-updates (Steven Chamberlain)
[2016-08-30] pcre3 2:8.39-2 MIGRATED to testing (Debian testing watch)
[2016-08-19] Accepted pcre3 2:8.39-2 (i386 source) into unstable (Matthew Vernon)
[2016-08-03] pcre3 2:8.39-1 MIGRATED to testing (Debian testing watch)
[2016-07-28] Accepted pcre3 2:8.39-1 (i386 source) into unstable (Matthew Vernon)
[2016-03-28] pcre3 2:8.38-3.1 MIGRATED to testing (Debian testing watch)
[2016-03-26] Accepted pcre3 2:8.35-3.3+deb8u4 (source) into proposed-updates->stable-new, proposed-updates (Salvatore Bonaccorso)
[2016-03-25] Accepted pcre3 2:8.35-3.3+deb8u3 (source) into proposed-updates->stable-new, proposed-updates (Salvatore Bonaccorso)
[2016-03-23] Accepted pcre3 2:8.38-3.1 (source) into unstable (Salvatore Bonaccorso)
[2016-03-10] pcre3 2:8.38-3 MIGRATED to testing (Debian testing watch)
[2016-02-29] Accepted pcre3 8.02-1.1+deb6u1 (source amd64) into squeeze-lts (Markus Koschany)
[2016-02-28] Accepted pcre3 2:8.38-3 (i386 source) into unstable (Matthew Vernon)
[2016-02-27] Accepted pcre3 2:8.38-2 (i386 source) into unstable (Matthew Vernon)
[2016-01-11] pcre3 2:8.38-1 MIGRATED to testing (Debian testing watch)
[2016-01-10] Accepted pcre3 2:8.35-3.3+deb8u2 (source) into proposed-updates->stable-new, proposed-updates (Salvatore Bonaccorso)
[2015-12-22] Accepted pcre3 2:8.38-1 (i386 source) into unstable (Matthew Vernon)
[2015-12-02] pcre3 2:8.35-8 MIGRATED to testing (Britney)
[2015-11-21] Accepted pcre3 2:8.35-8 (i386 source) into unstable (Matthew Vernon)
[2015-11-08] pcre3 2:8.35-7.4 MIGRATED to testing (Britney)
[2015-11-02] Accepted pcre3 2:8.35-7.4 (source amd64) into unstable (John Paul Adrian Glaubitz)
[2015-11-02] Accepted pcre3 2:8.35-7.3 (source amd64) into unstable (John Paul Adrian Glaubitz)
[2015-09-22] pcre3 2:8.35-7.2 MIGRATED to testing (Britney)
[2015-09-18] Accepted pcre3 2:8.35-3.3+deb8u1 (source amd64) into proposed-updates->stable-new, proposed-updates (Moritz Muehlenhoff) (signed by: Moritz Mühlenhoff)

bugs [bug history graph]

all: 30 32
RC: 1
I&N: 18 20
M&W: 11
F&P: 0

links

lintian (0, 11)
buildd: logs, clang, reproducibility
popcon
browse source code
edit tags
security tracker

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2:8.39-4
19 bugs