[cvsnt-dev] Bug#466408: Failure of Drop-In Compatibility with Old Repository

Arthur Barrett arthur.barrett at march-hare.com
Wed Jul 9 07:53:21 BST 2008


> Speaking of included libs: PCRE in cvsnt is quite old (6.6). I count 18 
> "Common Vulnerabilities and Exposures" on cve.mitre.org. As you said: It 
> does not affect Debian (and probably other distros), because the installed 
> versions of PCRE are used, but are there any plans to update PCRE?

Thanks for the heads up.

Unless someone can show that this is a significant risk for CVSNT users I 
won't be upgrading it for 2.5.04.

We have previously listed pcre security vulns as low for CVSNT since the way 
CVSNT uses it a user can't obtain any rights they do not already have anyway 
(eg see bug 4638) since the server process is not running privileged.

Of the 18 pcre vulns on cve I can see only two that clearly affect v6.6 (I 
don't know enough to be sure that bugs in pcre 7.x really affect 6.x), and 
the latest pcre 7.7 also has cve's against it so upgrading to pcre 7.7 is 
not going to completely resolve this question anyway.

We updated zlib to 1.2.3 for security vulns at the same time as we updated 
pcre (just before 2.5.03 went stable) and that is still the latest version.

I have stated repeatedly that my goal for 2.5.04 is not to fix anything and 
that it'll be largely "as broken as 2.5.03" since noone is complaining about 
2.5.03 - the whole point of 2.5.04 is to add features (see my last release 
notes on the newsgroup for more of a rant on that).

I don't really like releasing things with known CVE's but I think in this 
case I think I will because my understanding is that the risk is a) no worse 
than the current CVSNT release and b) pretty insignificant anyway.

Putting this on the table as needing fixing by 2.5.05 is worthwhile.

Can anyone shed more light on this?


Arthur Barrett

More information about the cvsnt-dev mailing list