Hi, > the following vulnerability was published for pcre2. > > CVE-2017-8786[0]: > | pcre2test.c in PCRE2 10.23 allows remote attackers to cause a denial of > | service (heap-based buffer overflow) or possibly have unspecified other > | impact via a crafted regular expression.
Upstream have on a number of occasions said that they don't really consider problems in pcre2test.c a security issue for the library as a whole. > The issue is only in the pcre2test utility, so IMHO no immediate > update is needed. But if you get an unblock from the release team, > then even better and might already be fixed for stretch. My inclination is that it's OK for the next upstream pcre2 release which will contain this fix. Regards, Matthew
