touch-packages team mailing list archive

Thread
Date

[Bug 1396768] Re: pcre3 vulnerability CVE-2014, 2015

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Marc Deslauriers <marc.deslauriers@xxxxxxxxxxxxx>
Date: Thu, 23 Jul 2015 13:44:05 -0000
Reply-to: Bug 1396768 <1396768@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

ACK on the wily and vivid debdiffs. I've slightly adjusted the vivid versioning and have removed the extra lines in the changelog.
Wily is uploaded to the archive, and vivid is uploaded here, awaiting the other releases:

https://launchpad.net/~ubuntu-security-
proposed/+archive/ubuntu/ppa/+packages

For trusty, CVE-2014-8964 is missing. Red Hat has a backport available here:
https://bugzilla.redhat.com/show_bug.cgi?id=1166147#c8

Are you planning on working on precise also?

** Bug watch added: Red Hat Bugzilla #1166147
   https://bugzilla.redhat.com/show_bug.cgi?id=1166147

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-8964

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pcre3 in Ubuntu.
https://bugs.launchpad.net/bugs/1396768

Title:
  pcre3 vulnerability CVE-2014, 2015

Status in pcre3 package in Ubuntu:
  In Progress
Status in pcre3 source package in Precise:
  New
Status in pcre3 source package in Trusty:
  In Progress
Status in pcre3 source package in Utopic:
  In Progress
Status in pcre3 source package in Vivid:
  In Progress

Bug description:
  SRU Justification

  [Impact]

  CVE-2014-8964
  CVE-2015-2325
  CVE-2015-2326
  CVE-2015-3210
  CVE-2015-5073

  [Test Case]

  [Regression Potential]

  [Other Info]

  CVE-2014-8964

  https://security-tracker.debian.org/tracker/CVE-2014-8964
  https://bugzilla.redhat.com/show_bug.cgi?id=1166147
  http://bugs.exim.org/show_bug.cgi?id=1546

  Requires some heavy backporting to older releases, see:
  https://bugzilla.redhat.com/show_bug.cgi?id=1166147#c2.

  CVE-2015-2325

  https://security-tracker.debian.org/tracker/CVE-2015-2325
  http://bugs.exim.org/show_bug.cgi?id=1591
  http://vcs.pcre.org/pcre?view=revision&revision=1528

  CVE-2015-2326

  https://security-tracker.debian.org/tracker/CVE-2015-2326
  http://bugs.exim.org/show_bug.cgi?id=1592
  http://vcs.pcre.org/pcre?view=revision&revision=1529

  CVE-2015-3210

  https://security-tracker.debian.org/tracker/CVE-2015-3210
  https://bugs.exim.org/show_bug.cgi?id=1636
  http://vcs.pcre.org/pcre?view=revision&revision=1558

  CVE-2015-5073

  https://security-tracker.debian.org/tracker/CVE-2015-5073
  https://bugs.exim.org/show_bug.cgi?id=1651
  http://vcs.pcre.org/pcre?view=revision&revision=1571

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pcre3/+bug/1396768/+subscriptions