On Wed, Nov 07, 2007 at 08:41:00AM +0000, Dr Andrew C Aitchison wrote:
>
> [ Sorry for spamming exim-dev but I believe that the
> PCRE maintainer lurks there and not on exim-users :-]
[..]
> exim-4.68 includes pcre 7.2, which is presumably vunerable.
>
> I suspect that within exim pcre does not parse user-supplied
> expressions, so this is not a major vunerability, but is anyone
> in a position to confirm this, or do we need to release an updated
> version of exim ?
Well, that depends on site's setup. Exim can put user-supplied data into
the regex value (there's a string expansion target "rxquote" for that),
so I can imagine there are quite many of potentially vulnerable systems
out there.
--
Jan Srzednicki :: http://wrzask.pl/
"Remember, remember, the fifth of November"
-- V for Vendetta
