openSUSE Security Update: Security update for pcre ______________________________________________________________________________ Announcement ID: openSUSE-SU-2016:2805-1 Rating: moderate References: #933288 #933878 #936227 #942865 #957566 #957598 #960837 #971741 #972127 Cross-References: CVE-2015-3210 CVE-2015-3217 CVE-2015-5073 CVE-2015-8380 CVE-2016-1283 CVE-2016-3191 Affected Products: openSUSE 13.2 ______________________________________________________________________________ An update that solves 6 vulnerabilities and has three fixes is now available. Description: This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. - Update to PCRE 8.39 FATE#320298 boo#972127. - CVE-2015-3210: heap buffer overflow in pcre_compile2() / compile_regex() (boo#933288) - CVE-2015-3217: pcre: PCRE Library Call Stack Overflow Vulnerability in match() (boo#933878) - CVE-2015-5073: pcre: Library Heap Overflow Vulnerability in find_fixedlength() (boo#936227) - boo#942865: heap overflow in compile_regex() - CVE-2015-8380: pcre: heap overflow in pcre_exec (boo#957566) - boo#957598: various security issues fixed in pcre 8.37 and 8.38 release - CVE-2016-1283: pcre: Heap buffer overflow in pcre_compile2 causes DoS (boo#960837) - CVE-2016-3191: pcre: workspace overflow for (*ACCEPT) with deeply nested parentheses (boo#971741) Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.2: zypper in -t patch openSUSE-2016-1303=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.2 (i586 x86_64): libpcre1-8.39-3.8.1 libpcre1-debuginfo-8.39-3.8.1 libpcre16-0-8.39-3.8.1 libpcre16-0-debuginfo-8.39-3.8.1 libpcrecpp0-8.39-3.8.1 libpcrecpp0-debuginfo-8.39-3.8.1 libpcreposix0-8.39-3.8.1 libpcreposix0-debuginfo-8.39-3.8.1 pcre-debugsource-8.39-3.8.1 pcre-devel-8.39-3.8.1 pcre-devel-static-8.39-3.8.1 pcre-tools-8.39-3.8.1 pcre-tools-debuginfo-8.39-3.8.1 - openSUSE 13.2 (noarch): pcre-doc-8.39-3.8.1 - openSUSE 13.2 (x86_64): libpcre1-32bit-8.39-3.8.1 libpcre1-debuginfo-32bit-8.39-3.8.1 libpcre16-0-32bit-8.39-3.8.1 libpcre16-0-debuginfo-32bit-8.39-3.8.1 libpcrecpp0-32bit-8.39-3.8.1 libpcrecpp0-debuginfo-32bit-8.39-3.8.1 libpcreposix0-32bit-8.39-3.8.1 libpcreposix0-debuginfo-32bit-8.39-3.8.1 References: https://www.suse.com/security/cve/CVE-2015-3210.html https://www.suse.com/security/cve/CVE-2015-3217.html https://www.suse.com/security/cve/CVE-2015-5073.html https://www.suse.com/security/cve/CVE-2015-8380.html https://www.suse.com/security/cve/CVE-2016-1283.html https://www.suse.com/security/cve/CVE-2016-3191.html https://bugzilla.suse.com/933288 https://bugzilla.suse.com/933878 https://bugzilla.suse.com/936227 https://bugzilla.suse.com/942865 https://bugzilla.suse.com/957566 https://bugzilla.suse.com/957598 https://bugzilla.suse.com/960837 https://bugzilla.suse.com/971741 https://bugzilla.suse.com/972127