* A bug was found in the pcre implementation for subst(). If the
"global" flag is specified and pcre returns an error, an infinite
loop is created, consuming memory in the process. It is triggered
by PCRE 8.12, but could potentially affect older versions too.
Michael, 3.2.4 is already in the tree. Is it suitable for stabilization?
No problem with it on my server =)
(In reply to comment #1)
> No problem with it on my server =)
Thanks, Agostino. ;)
Mr. Bones, ping?
added bug #370845 for the stablereq
(In reply to comment #3)
> added bug #370845 for the stablereq
Great, thank you.
Thanks, folks. GLSA request filed.
lib/logmatcher.c in Balabit syslog-ng before 3.2.4, when the global flag is
set and when using PCRE 8.12 and possibly other versions, allows remote
attackers to cause a denial of service (memory consumption) via a message
that does not match a regular expression.
what's the next step in getting this closed?
(In reply to Mr. Bones. from comment #7)
> what's the next step in getting this closed?
Releasing a GLSA.
Please read the note at the bottom of bugzilla about NOT closing security bugs.
Then get it done. Three years makes a GLSA irrelevant.
This issue was resolved and addressed in
GLSA 201412-09 at http://security.gentoo.org/glsa/glsa-201412-09.xml
by GLSA coordinator Sean Amoss (ackle).