Hi Mark, Unfortunately, as of right now the only way to get pcre 8.38 is via their rc1 candidate (check the pcre-dev mailing list for a tarball).
In practice, the pcre exploit ClamAV warns about ( http://www.securitytracker.com/id/1032453) relies upon an explicitly malicious regex, so you don't have to worry too much unless you're using untrusted sigs. Everything should still compile and run just fine, even with 8.37. - Mickey On Fri, Nov 20, 2015 at 8:08 AM, Mark Allan <markjal...@gmail.com> wrote: > Hi all, > > I saw the blog post about v0.99 rc 2 and have downloaded it for testing. > > It looks like bug 11411 [ > https://bugzilla.clamav.net/show_bug.cgi?id=11411 ] is still open, so I > decided to download and build PCRE as well. > > I initially tried the PCRE2 branch but it wasn't recognised by ClamAV's > configure script, so I went with the most up-to-date version of PCRE (which > is currently 8.37) but now configure outputs the following: > > configure: WARNING: The installed pcre version may contain a security bug. > Please upgrade to 8.38 or later: http://www.pcre.org > > There is no 8.38 that I can see: > https://sourceforge.net/projects/pcre/files/pcre/ > > Are you just assuming that 8.38 will be coming soon to fix the bug, or is > there a download somewhere that I'm not seeing? > > Thanks > Mark > > _______________________________________________ > http://lurker.clamav.net/list/clamav-devel.html > Please submit your patches to our Bugzilla: http://bugs.clamav.net > > http://www.clamav.net/contact.html#ml > _______________________________________________ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net http://www.clamav.net/contact.html#ml
