[Secure-testing-commits] r53459 - data/CVE

Salvatore Bonaccorso carnil at moszumanska.debian.org
Thu Jul 13 20:23:58 UTC 2017


Author: carnil
Date: 2017-07-13 20:23:58 +0000 (Thu, 13 Jul 2017)
New Revision: 53459

Modified:
   data/CVE/list
Log:
Add CVE-2017-11164/pcre3

Mark it as pcre3 specific, without touching pcre2. Most likely to be
marked unimportant, as upstream does not consider such class of issues
as vulnerabilities with infinite recursion possiblity when parsing
crafted regular expressions.

Please double-check.

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2017-07-13 20:20:36 UTC (rev 53458)
+++ data/CVE/list	2017-07-13 20:23:58 UTC (rev 53459)
@@ -130,7 +130,9 @@
 CVE-2017-11165 (dataTaker DT80 dEX 1.50.012 allows remote attackers to obtain sensitive ...)
 	NOT-FOR-US: dataTaker
 CVE-2017-11164 (In PCRE 8.41, the OP_KETRMAX feature in the match function in ...)
-	TODO: check
+	- pcre3 <unfixed>
+	NOTE: http://openwall.com/lists/oss-security/2017/07/11/3
+	TODO: check, most likely to be marked unimportant, as per referenced thread
 CVE-2017-11163 (Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in ...)
 	- cacti 1.1.12+ds1-1 (bug #868080)
 	[stretch] - cacti <not-affected> (Vulnerable code introduced later)




More information about the Secure-testing-commits mailing list