[php-maint] php5.6 und php7.0 versionen und security-fixes Fehlen

Ondřej Surý ondrej at sury.org
Wed Nov 15 16:35:39 UTC 2017 

Focus on the "embedded" part of the sentence. We don't use "embedded
libraries", but external one.

You can check the status of individual CVEs in Debian and the assessment
of the issue by security team here:

https://security-tracker.debian.org/tracker/CVE-<num>


Some examples:

https://security-tracker.debian.org/tracker/CVE-2017-7890
https://security-tracker.debian.org/tracker/CVE-2017-9224

-- 
Ondřej Surý <ondrej at sury.org>

On Wed, Nov 15, 2017, at 17:28, Höhle, Jörg wrote:
> Sorry, didn't think about the language...
> 
> As mbstring and pcre and gd are part of php 5.6.30, doe I see that right
> that the CVEs ( Mishandling of patterns in pcre 8.38 with possible DOS or
> other impact), the CVEs for mbstring (multiple out of bound reads and
> writes) and gd (possible disclosure of sensitive information through
> special crafted image) are seen as noncritical?
> 
> -----Original Message-----
> From: Ondřej Surý [mailto:ondrej at sury.org] 
> Sent: Wednesday, November 15, 2017 4:51 PM
> To: Höhle, Jörg <hoehle at uni-mainz.de>;
> pkg-php-maint at lists.alioth.debian.org
> Subject: Re: [php-maint] php5.6 und php7.0 versionen und security-fixes
> Fehlen
> 
> This is English only mailing list, you should not expect that other
> people can read German.
> 
> Also all critical security fixes in mentioned versions were in embedded
> libraries that Debian doesn't use.
> 
> O.
> --
> Ondřej Surý <ondrej at sury.org>
> 
> On Wed, Nov 15, 2017, at 16:22, Höhle, Jörg wrote:
> > Hallo,
> > 
> > die php5.6 Version in jessie wurde seit dem 25. Januar trotz einiger 
> > Fixes für verschiedene CVEs in 5.6.31 und 5.6.32 nicht auf einen 
> > aktuellen Stand gebracht.
> > 
> > Des gleichen die php7.0 Version in stretch welche seit Mai noch bei
> > 7.0.19 verblieben ist gegenüber der aktuellen 7.0.25 Version bei 
> > php.net.
> > 
> > Gibt es Probleme bei der Betreuung der PHP-Pakete? Sollten wir unsere 
> > Server auf andere Quellen umstellen?
> > 
> > Mit freundlichen Grüßen,
> > 
> > Jörg Höhle
> > _______________________________________________
> > pkg-php-maint mailing list
> > pkg-php-maint at lists.alioth.debian.org
> > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint

More information about the pkg-php-maint mailing list