Versions mentioned in the description apply to the upstream
Remediation section below for
Debian:9 relevant versions.
The compile_bracket_matchingpath function in pcre_jit_compile.c in PCRE through 8.x before revision 1680 (e.g., the PHP 7.1.1 bundled version) allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted regular expression.
pcre3 to version 2:8.39-2.1 or higher.