[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Issue affecting php5?

On Sat, Nov 18, 2017 at 05:37:50PM +0100, Raphael Hertzog wrote:
> Hi,
> On Wed, 15 Nov 2017, Roberto C. Sánchez wrote:
> > The commit was made for PHP version 5.6 and mentions CVE-2017-14107 [0].
> > However, CVE-2017-14107 is only listed for libzip in the security
> > tracker.  I looked at the build log and php5 in wheezy definitely builds
> > the file that was modified in that commit.  My conclusion is that php5
> > in wheezy embeds and builds a vulnerable version of libzip. Is it then
> > correct to add php5 as being affected by that CVE in data/CVE/list?
> Yes.
Thanks for confirming.

I annotated the entry for CVE-2017-14107 as affecting php5 and based on
the information that was apparently used to decide on no-DSA for that
CVE in libzip, I also marked php5 in wheezy as no-DSA for that CVE.



Roberto C. Sánchez

Reply to: