Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-8295

CVE-2015-3210 PCRE vulnerability

        Details

        • Type: Bug
        • Status: Open
        • Priority: Major
        • Resolution: Unresolved
        • Affects Version/s: 10.0
        • Fix Version/s: 10.0
        • Component/s: None
        • Labels:
          None

          Description

          MDEV-8006 included fixes for CVE-2014-8964 / CVE-2015-2325 / CVE-2015-2326, and that was released in MariaDB 10.0.18. Unfortunately, there is a new PCRE related security issue: CVE-2015-3210

            Gliffy Diagrams

              Attachments

                Issue Links

                is blocked by

                Task - A task that needs to be done. MDEV-8560 10.0.21 merge

                • Blocker - Blocks development and/or testing work, production could not run.
                • Closed

                  Activity

                  Ascending order - Click to sort in descending order
                  Hide
                  Permalink
                  cfservices Cloud Foundry Core Services team added a comment - - edited

                  Hey, just in case you have a build pipeline for testing, PCRE has distributed an RC1 that likely addresses this CVE: https://lists.exim.org/lurker/message/20150618.164830.bf6e0148.en.html

                  Their ChangeLog is here: http://vcs.pcre.org/pcre2/code/trunk/ChangeLog?revision=288&view=markup

                  Any chance we can get a forecast of how many days beyond a PCRE final release it might take to see a MariaDB release?

                  (We consider this vulnerability fairly urgent.) Thanks!

                  Show
                  cfservices Cloud Foundry Core Services team added a comment - - edited Hey, just in case you have a build pipeline for testing, PCRE has distributed an RC1 that likely addresses this CVE: https://lists.exim.org/lurker/message/20150618.164830.bf6e0148.en.html Their ChangeLog is here: http://vcs.pcre.org/pcre2/code/trunk/ChangeLog?revision=288&view=markup Any chance we can get a forecast of how many days beyond a PCRE final release it might take to see a MariaDB release? (We consider this vulnerability fairly urgent.) Thanks!
                  Hide
                  Permalink
                  serg Sergei Golubchik added a comment -

                  Our release schedule is on the main Jira page: http://mariadb.org/jira
                  In short, if new PCRE release will be out today, it'll be in 10.0.21, that is due in a month.

                  But we generally build with system pcre and link with libpcre.so dynamically. So it's up to distributions and users to upgrade libprce.so.

                  Our binary tarballs use bundled pcre, and then our release schedule applies.

                  Show
                  serg Sergei Golubchik added a comment - Our release schedule is on the main Jira page: http://mariadb.org/jira In short, if new PCRE release will be out today, it'll be in 10.0.21, that is due in a month. But we generally build with system pcre and link with libpcre.so dynamically. So it's up to distributions and users to upgrade libprce.so. Our binary tarballs use bundled pcre, and then our release schedule applies.

                    People

                    • Assignee:
                      serg Sergei Golubchik
                      Reporter:
                      cfservices Cloud Foundry Core Services team
                    • Votes:
                      0 Vote for this issue
                      Watchers:
                      2 Start watching this issue

                      Dates

                      • Created:
                        Updated: