[ Sorry for spamming exim-dev but I believe that the
PCRE maintainer lurks there and not on exim-users :-]
RedHat have released an update to pcre 6.6
http://www.linuxcompatible.org/RHSA-20070967-01_Critical_pcre_security_update_p99769.html
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/pcre-6.6-2.el5_0.1.src.rpm
The redhat bugzilla for one of thesre flaws
https://bugzilla.redhat.com/show_bug.cgi?id=315871
suggests that
another case of a lone \E inside a character class remained,
this has been fixed in 7.3
exim-4.68 includes pcre 7.2, which is presumably vunerable.
I suspect that within exim pcre does not parse user-supplied
expressions, so this is not a major vunerability, but is anyone
in a position to confirm this, or do we need to release an updated
version of exim ?
--
Dr. Andrew C. Aitchison Computer Officer, DPMMS, Cambridge
A.C.Aitchison@??? http://www.dpmms.cam.ac.uk/~werdna
