From $URL: * A bug was found in the pcre implementation for subst(). If the "global" flag is specified and pcre returns an error, an infinite loop is created, consuming memory in the process. It is triggered by PCRE 8.12, but could potentially affect older versions too. Michael, 3.2.4 is already in the tree. Is it suitable for stabilization?
@tim No problem with it on my server =)
(In reply to comment #1) > @tim > > No problem with it on my server =) Thanks, Agostino. ;) Mr. Bones, ping?
added bug #370845 for the stablereq
(In reply to comment #3) > added bug #370845 for the stablereq Great, thank you.
Thanks, folks. GLSA request filed.
CVE-2011-1951 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1951): lib/logmatcher.c in Balabit syslog-ng before 3.2.4, when the global flag is set and when using PCRE 8.12 and possibly other versions, allows remote attackers to cause a denial of service (memory consumption) via a message that does not match a regular expression.
what's the next step in getting this closed?
(In reply to Mr. Bones. from comment #7) > what's the next step in getting this closed? Releasing a GLSA. Please read the note at the bottom of bugzilla about NOT closing security bugs.
Then get it done. Three years makes a GLSA irrelevant.
This issue was resolved and addressed in GLSA 201412-09 at http://security.gentoo.org/glsa/glsa-201412-09.xml by GLSA coordinator Sean Amoss (ackle).