Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.
Andreas, > Speaking of included libs: PCRE in cvsnt is quite old (6.6). I count 18 > "Common Vulnerabilities and Exposures" on cve.mitre.org. As you said: It > does not affect Debian (and probably other distros), because the installed > versions of PCRE are used, but are there any plans to update PCRE? Thanks for the heads up. Unless someone can show that this is a significant risk for CVSNT users I won't be upgrading it for 2.5.04. We have previously listed pcre security vulns as low for CVSNT since the way CVSNT uses it a user can't obtain any rights they do not already have anyway (eg see bug 4638) since the server process is not running privileged. http://customer.march-hare.com/webtools/bugzilla/ttshow_bug.cgi?tt=1&id=4638 Of the 18 pcre vulns on cve I can see only two that clearly affect v6.6 (I don't know enough to be sure that bugs in pcre 7.x really affect 6.x), and the latest pcre 7.7 also has cve's against it so upgrading to pcre 7.7 is not going to completely resolve this question anyway. We updated zlib to 1.2.3 for security vulns at the same time as we updated pcre (just before 2.5.03 went stable) and that is still the latest version. I have stated repeatedly that my goal for 2.5.04 is not to fix anything and that it'll be largely "as broken as 2.5.03" since noone is complaining about 2.5.03 - the whole point of 2.5.04 is to add features (see my last release notes on the newsgroup for more of a rant on that). I don't really like releasing things with known CVE's but I think in this case I think I will because my understanding is that the risk is a) no worse than the current CVSNT release and b) pretty insignificant anyway. Putting this on the table as needing fixing by 2.5.05 is worthwhile. Can anyone shed more light on this? Regards, Arthur Barrett