pcre 8.37 contains multiple remote code execution vulnerabilites which are only fixed in upstream SVN
PCRE 8.37 contains multiple security vulnerabilities (over half a dozen
buffer overflows and reference offset bugs):
http://vcs.pcre.org/pcre/code/trunk/ChangeLog
At least one of those vulnerabilites has been assigned CVE-2015-3210,
where it is also claimed that this can be used for remote code
execution:
http://www.securitytracker.com/id/1032453
Although upstream has not yet released a new version of PCRE, they have
fixed these vulnerabilities in their SVN:
https://bugs.exim.org/show\_bug.cgi?id=1636\#c1
I therefore propose that the SVN version of PCRE be shipped until upstream releases PCRE 8.38.
(from redmine: issue id 4350, created on 2015-06-15, closed on 2019-05-04)