package: src:pcre2 version: 10.45-1 tags: security upstream trixie forky PCRE upstream released 10.46 yesterday to fix CVE-2025-58050 - https://github.com/PCRE2Project/pcre2/releases/tag/pcre2-10.46 Quoting the release note: " This is a security-only release, to address CVE-2025-58050. Compared to 10.45, this release has only a minimal code change to prevent a read-past-the-end memory error, of arbitrary length. An attacker-controlled regex pattern is required, and it cannot be triggered by providing crafted subject (match) text. The (*ACCEPT) and (*scs:) pattern features must be used together. Release 10.44 and earlier are not affected. This could have implications of denial-of-service or information disclosure, and could potentially be used to escalate other vulnerabilities in a system (such as information disclosure being used to escalate the severity of an unrelated bug in another system). " So trixie (10.45-1) and forky/unstable are vulnerable, but not older releases. Regards, Matthew
We believe that the bug you reported is fixed in the latest version of pcre2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1112278@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Matthew Vernon <matthew@debian.org> (supplier of updated pcre2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Thu, 28 Aug 2025 08:32:30 +0100 Source: pcre2 Architecture: source Version: 10.46-1 Distribution: unstable Urgency: high Maintainer: Matthew Vernon <matthew@debian.org> Changed-By: Matthew Vernon <matthew@debian.org> Closes: 1112278 Changes: pcre2 (10.46-1) unstable; urgency=high . * New upstream release to fix CVE-2025-58050 (Closes: #1112278) Checksums-Sha1: b54c3aa8e4aa2d9ffa401b02ade99212953deeed 2337 pcre2_10.46-1.dsc 6858f0eb287c8285f53a038c8a95dc43ba51c653 2718545 pcre2_10.46.orig.tar.gz fddae92ac1844431bd414198633dc3961a7ad2ea 8748 pcre2_10.46-1.diff.gz Checksums-Sha256: f07e05cd55dd8189d1a7eec2c3ed2d963f51a84ab5494567a112b42f8d525661 2337 pcre2_10.46-1.dsc 8d28d7f2c3b970c3a4bf3776bcbb5adfc923183ce74bc8df1ebaad8c1985bd07 2718545 pcre2_10.46.orig.tar.gz 307f2b889eb62e71fba064fb6ec65a367f1a88ceb667c4d7109c8d3fe1859e88 8748 pcre2_10.46-1.diff.gz Files: 70ed6714c5f7638535f882a1884518cf 2337 libs optional pcre2_10.46-1.dsc 38c1d3820b744afbc0565144ef893129 2718545 libs optional pcre2_10.46.orig.tar.gz 6bc28f8d3d33bdcf4c795a2045db4787 8748 libs optional pcre2_10.46-1.diff.gz -----BEGIN PGP SIGNATURE----- iQJHBAEBCgAxFiEEuk75yE35bTfYoeLUEvTSHI9qY8gFAmiwB7MTHG1hdHRoZXdA ZGViaWFuLm9yZwAKCRAS9NIcj2pjyEDPD/9AIDXeoBpAbIych3S9bWJA54T13mLA HJvJ9DyMrhvBPWkU844Q+2y4pKQsU0oPTzVyW6m19kq4I41ovI1/G3M60mFg2LyE N7+eNADXaZzJ0mboBLJ+Yst6tZn5V45Y3a5uqGW1RYdi/PoJpO9mYs/mDQ9EaY/Z 3TNKagUOVOWCp7TOZZ50J0k0eGuH+QbhMHuNmI60qBDKQXS7+nA0WnToLIKELcD8 3sHEGt0/6Ngd1sUhYrF5Rp5oVKzLBBatJDB6M494nrhkB6UuXM2FXzctC4Bp1OQr 2KOt2HAQY8paDbbZo43V7SHucOkN6JY/RE3KTObblWn+Ca6Nh9QKyXxdXg32Wcpu HEVDbLp2nYTlkV7DYJts+/DhHVza/VyGucglk6B+8vr0+kUPc5jzowZiQoeiSe+w 9dIRocTH/iPMrIn1lJYX2pdMo3Fn4O4yGQVqZI9sUxEfTiu1MK2SfXE9NwhHvAE4 oLgQC6eelpg86vesd3MyzamPOCszgC5jhKIwtznEsrakOjGsJ+UqLxo65EhQsdCB mMK5DqJCnKbYCorDZW5vrWQJullkh/12Otd4mKDa5nB03zSFhEM1VUq5ZdXSScK6 KWhe4qiJ9UKucJgV82AtdmKebqMPKDq32ve4ISLGo26MRCr8s1XLkfZuh+MEcPMz qstl/kwljVhoNw== =HAZ5 -----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of pcre2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1112278@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Matthew Vernon <matthew@debian.org> (supplier of updated pcre2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Thu, 28 Aug 2025 08:43:18 +0100 Source: pcre2 Architecture: source Version: 10.46-1~deb13u1 Distribution: trixie Urgency: high Maintainer: Matthew Vernon <matthew@debian.org> Changed-By: Matthew Vernon <matthew@debian.org> Closes: 1112278 Changes: pcre2 (10.46-1~deb13u1) trixie; urgency=high . * New upstream release to fix CVE-2025-58050 (Closes: #1112278) Checksums-Sha1: 70d60f3aaff0248e6a87f836a5fac291e0d57536 2377 pcre2_10.46-1~deb13u1.dsc 73a5b15c4204a8788040848fb85faf37f3017fc7 8729 pcre2_10.46-1~deb13u1.diff.gz Checksums-Sha256: 15fd556b0182dac4decee5408ab4908654bb6a7f2002774a46e908c1ec7937b8 2377 pcre2_10.46-1~deb13u1.dsc b1e614d7d31b26314754c563079b6e8400e50fe7a35d21cc0945f41c45965c45 8729 pcre2_10.46-1~deb13u1.diff.gz Files: dcece146539c4ee98eae46abd48f821b 2377 libs optional pcre2_10.46-1~deb13u1.dsc 9acc7ceefea744ef71017ea7f328ee9d 8729 libs optional pcre2_10.46-1~deb13u1.diff.gz -----BEGIN PGP SIGNATURE----- iQJHBAEBCgAxFiEEuk75yE35bTfYoeLUEvTSHI9qY8gFAmiwFLQTHG1hdHRoZXdA ZGViaWFuLm9yZwAKCRAS9NIcj2pjyJdjD/9QEoSG3KeP7IQ2Z8rTWqcJB42er3l+ LteXwKPeLZ1Da7VDwdjvww1uq3lFv8+Y6Xoce9gsckBvq0WVcANj2RKcG9Gelpid 4oPTthkoqjTborai3SKCIpeEqRmJVkenz4PPqVC3+6H468Otc4srfBRN6bpkEymv o5QH8vsKZ5riE47gCFhNsSYLVFZ+mEnDXWFJYIEFmdZ4tgm83+I4MBd9dzTRrjRb Ie+GrPfjaJN60W6fe7P81xbCf2vNtqZVTJOqUfXkXXHjwlHi5SS4IvSkiUSL/2oK OduqXaf14U5JVj39NiiSbxxk+7sIwI3o8/STXLNMmyki9C4L1C6fCfclo218Vk4J b3Ghy0TpkrW7NGsJBUl7x/T18bQy+GPxgGqzOoKcwkxUycsBURUmspMRiXB/Ymq/ x/hJSY4myvZHCFsmum3k11V3ALUTNcb+zg+VjPTmnor6ZFGD3W58LYxuGs5ZWNbH iNXM99J2oWaOB5Glt/GDU8Of9xDI2DoavadtR97Gxh04iYpI1mM+1nOD0i7lFNy3 j4y+XNUPlgutHroZBNpJgicOkpIw/4O6L30VDaMvxAqZDMdEg+MwVkgPwe1YPKHL 6RoAJFwp4rG2o8TMotV5SJ/Ni9T8UEEU9d/3EFk4SM79o7hjGEQYdGK5R6p87Zbs Ou5MRgDjVe/MFw== =3W7V -----END PGP SIGNATURE-----