[exim] PCRE vunerability and Exim ?

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Dr Andrew C Aitchison
Ημερομηνία:  
Προς: exim-users
Υ/ο: exim-dev
Αντικείμενο: [exim] PCRE vunerability and Exim ?

[ Sorry for spamming exim-dev but I believe that the
PCRE maintainer lurks there and not on exim-users :-]

RedHat have released an update to pcre 6.6
http://www.linuxcompatible.org/RHSA-20070967-01_Critical_pcre_security_update_p99769.html
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/pcre-6.6-2.el5_0.1.src.rpm
The redhat bugzilla for one of thesre flaws
   https://bugzilla.redhat.com/show_bug.cgi?id=315871
suggests that
    another case of a lone \E inside a character class remained,
    this has been fixed in 7.3


exim-4.68 includes pcre 7.2, which is presumably vunerable.

I suspect that within exim pcre does not parse user-supplied
expressions, so this is not a major vunerability, but is anyone
in a position to confirm this, or do we need to release an updated
version of exim ?

-- 
Dr. Andrew C. Aitchison        Computer Officer, DPMMS, Cambridge
A.C.Aitchison@???    http://www.dpmms.cam.ac.uk/~werdna