Bug 1049107

Summary: package virtuoso bundles pcre lib
Product: [Novell Products] SUSE Security Incidents Reporter: Victor Pereira <vpereira>
Component: GeneralAssignee: E-mail List <kde-maintainers>
Status: RESOLVED WONTFIX QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None    
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1049096    

Description Victor Pereira 2017-07-18 08:29:32 UTC 
Dear Maintainer,

The package SUSE:SLE-12:Update/virtuoso has PCRE bundled together with the source code. This is a problem for the security team, because we are not able to track and update the bundled libraries if a security vulnerability is found to this lib. If possible, please switch it to use pcre, pcre-devel as build requirements. Would it be possible to try it in the package SUSE:SLE-12:Update/virtuoso? 


thank you

Victor
Comment 1 Michal Marek 2017-07-18 08:56:32 UTC 
I'm not the maintainer of virtuoso. It is a build dependency of nepomuk-core, but not shipped anywhere except for the bootstrap kit. BTW

Wed Jan 25 10:45:11 UTC 2012 - idonmez@suse.com

- Back to internal PCRE, system one will result in runtime problems. 

Anyway, the KDE developers should decide, not me.
Comment 2 Victor Pereira 2018-03-26 16:05:45 UTC 
looks like it cannot use the system version and its not being distributed