The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of PCRE: buffer overflow of compile_branch

Synthesis of the vulnerability 

An attacker can generate a buffer overflow in compile_branch of PCRE, in order to trigger a denial of service, and possibly to execute code.
Vulnerable software: BIG-IP Hardware, TMOS, MongoDB Server, openSUSE, openSUSE Leap, PHP, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DS***, Synology RS***, Ubuntu.
Severity of this announce: 2/4.
Creation date: 12/05/2015.
Références of this computer vulnerability: CERTFR-2015-AVI-265, CVE-2015-2325, openSUSE-SU-2015:0858-1, openSUSE-SU-2015:1216-1, openSUSE-SU-2016:3099-1, RHSA-2016:2750-01, SERVER-18312, SOL16983, SSA:2015-162-02, SSA:2015-198-02, SUSE-SU-2015:1273-1, USN-2694-1, USN-2943-1, VIGILANCE-VUL-16879.

Description of the vulnerability 

An attacker can generate a buffer overflow in compile_branch of PCRE, in order to trigger a denial of service, and possibly to execute code.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer threat bulletin impacts software or systems such as BIG-IP Hardware, TMOS, MongoDB Server, openSUSE, openSUSE Leap, PHP, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DS***, Synology RS***, Ubuntu.

Our Vigil@nce team determined that the severity of this security threat is medium.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this computer vulnerability alert.

Solutions for this threat 

F5 BIG-IP: fixed versions for PCRE.
Fixed versions are indicated in information sources.

MongoDB: versions 2.6.10, 3.0.4.
Versions 2.6.10, 3.0.4 are fixed.

openSUSE 13: new mariadb packages.
New packages are available:
  openSUSE 13.2: mariadb 10.0.20-2.9.1
  openSUSE 13.1: mariadb 5.5.44-4.1

openSUSE Leap: new pcre packages.
New packages are available:
  openSUSE Leap 42.2: libpcre1 8.39-6.1
  openSUSE Leap 42.1: libpcre1 8.39-5.1

openSUSE: new pcre packages.
New packages are available:
  openSUSE 13.1: pcre 8.37-2.4.1
  openSUSE 13.2: pcre 8.37-3.5.1

PHP: version 5.5.26.
The version 5.5.26 is fixed:
  http://php.net/get/php-5.5.26.tar.bz2/from/a/mirror

PHP: version 5.6.10.
The version 5.6.10 is fixed:
  http://php.net/get/php-5.6.10.tar.bz2/from/a/mirror

RHEL: new rh-php56 packages.
New packages are available:
  RHEL 6: rh-php56 2.3-1.el6
  RHEL 7: rh-php56 2.3-1.el7

Slackware: new php packages (12/06/2015).
New packages are available:
  Slackware 14.0: php 5.4.41-*-1_slack14.0
  Slackware 14.1: php 5.4.41-*-1_slack14.1

Slackware: new php packages (20/07/2015).
New packages are available:
  Slackware 14.0: php 5.4.43-*-1_slack14.0
  Slackware 14.1: php 5.4.43-*-1_slack14.1

SUSE LE 12: new mariadb packages.
New packages are available:
  SUSE LE 12: mariadb 10.0.20-18.1

Synology DS214, RS214: version 5.2-5592.
The version 5.2-5592 is fixed.

Ubuntu: new libpcre3 packages (30/03/2016).
New packages are available:
  Ubuntu 15.10: libpcre3 2:8.35-7.1ubuntu1.3
  Ubuntu 14.04 LTS: libpcre3 1:8.31-2ubuntu2.2
  Ubuntu 12.04 LTS: libpcre3 8.12-4ubuntu0.2

Ubuntu: new libpcre3 packages (30/07/2015).
New packages are available:
  Ubuntu 15.04: libpcre3 2:8.35-3.3ubuntu1.1
  Ubuntu 14.04 LTS: libpcre3 1:8.31-2ubuntu2.1
  Ubuntu 12.04 LTS: libpcre3 8.12-4ubuntu0.1
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a computer vulnerability patch. The Vigil@nce vulnerability database contains several thousand vulnerabilities.