Added number for CVE-2025-58050

NWilson · web-flow · commit b2bd4254b379 · 2025-08-27T14:12:30.000Z
diff --git a/ChangeLog b/ChangeLog
@@ -10,9 +10,9 @@ listed here.
 Version 10.46 27-August-2025
 ----------------------------
 
-1. (#771) Security fix to prevent a read-past-the-end memory error, of
-arbitrary length. An attacker-controlled regex pattern is required, and it
-cannot be triggered by providing crafted subject (match) text. The
+1. (#771) (CVE-2025-58050) Security fix to prevent a read-past-the-end memory
+error, of arbitrary length. An attacker-controlled regex pattern is required,
+and it cannot be triggered by providing crafted subject (match) text. The
 (*ACCEPT) and (*scs:) pattern features must be used together.
 
 Release 10.44 and earlier are not affected.
diff --git a/NEWS b/NEWS
@@ -4,7 +4,9 @@ News about PCRE2 releases
 Version 10.46 27-August-2025
 ----------------------------
 
-This is a security-only release, with only a minimal code change to prevent a
+This is a security-only release, to address CVE-2025-58050.
+
+Compared to 10.45, this release has only a minimal code change to prevent a
 read-past-the-end memory error, of arbitrary length. An attacker-controlled
 regex pattern is required, and it cannot be triggered by providing crafted
 subject (match) text. The (*ACCEPT) and (*scs:) pattern features must be used
diff --git a/SECURITY.md b/SECURITY.md
@@ -20,6 +20,11 @@ Git checkout of the (GPG-signed) release tag.
 Please contact the maintainers for any queries about release integrity or the
 project's supply-chain.
 
+## Previous vulnerabilities
+
+* CVE-2025-58050 (August 2025). Affects 10.45 only (not earlier), and is fixed
+  in 10.46.
+
 ## Reporting vulnerabilities
 
 The PCRE2 project prioritises security. We appreciate third-party testing and
@@ -38,7 +43,13 @@ aim to respond within 1 week, or perhaps 2 during holidays.
 
 ### Response procedure
 
-PCRE2 has never previously made a rapid or embargoed release in response to a
-security incident. We would work with security managers from trusted downstream
-distributors, such as major Linux distributions, before disclosing the
-vulnerability publicly.
+PCRE2 has in the past made at least one rapid release in response to
+security incidents.
+
+We have never produced an embargoed release, or provided preferential
+access to security fixes to any clients.
+
+We would aim to notify security managers from trusted downstream distributors,
+such as major Linux distributions, via the `pcre2-dev` mailing list, by
+publicly signalling an upcoming security release before disclosing the
+vulnerability publicly, where advance notification is possible.
