Re: Issue affecting php5?

To: debian-lts@lists.debian.org
Subject: Re: Issue affecting php5?
From: Roberto C. Sánchez <roberto@debian.org>
Date: Sat, 18 Nov 2017 23:00:18 -0500
Message-id: <[🔎] 20171119040018.tjk5lfa3h6ojyuu3@connexer.com>
Mail-followup-to: Roberto C. Sánchez <roberto@debian.org>, debian-lts@lists.debian.org
In-reply-to: <[🔎] 20171118163750.wyfhtm7dzgkgeewb@home.ouaza.com>
References: <[🔎] 20171115112608.h7itgeq3jqs5pjrm@connexer.com> <[🔎] 20171118163750.wyfhtm7dzgkgeewb@home.ouaza.com>

On Sat, Nov 18, 2017 at 05:37:50PM +0100, Raphael Hertzog wrote:
> Hi,
> 
> On Wed, 15 Nov 2017, Roberto C. Sánchez wrote:
> > The commit was made for PHP version 5.6 and mentions CVE-2017-14107 [0].
> > However, CVE-2017-14107 is only listed for libzip in the security
> > tracker.  I looked at the build log and php5 in wheezy definitely builds
> > the file that was modified in that commit.  My conclusion is that php5
> > in wheezy embeds and builds a vulnerable version of libzip. Is it then
> > correct to add php5 as being affected by that CVE in data/CVE/list?
> 
> Yes.
> 
Thanks for confirming.

I annotated the entry for CVE-2017-14107 as affecting php5 and based on
the information that was apparently used to decide on no-DSA for that
CVE in libzip, I also marked php5 in wheezy as no-DSA for that CVE.

Regards,

-Roberto

-- 
Roberto C. Sánchez

Reply to:

References:
- Issue affecting php5?
  - From: Roberto C. Sánchez <roberto@debian.org>
- Re: Issue affecting php5?
  - From: Raphael Hertzog <hertzog@debian.org>

Prev by Date: Re: Request for testing: python2.6/python2.7
Next by Date: Call for testing: xserver
Previous by thread: Re: Issue affecting php5?
Next by thread: LTS report for October
Index(es):
- Date
- Thread