Re: Issue affecting php5?
On Sat, Nov 18, 2017 at 05:37:50PM +0100, Raphael Hertzog wrote:
> Hi,
>
> On Wed, 15 Nov 2017, Roberto C. Sánchez wrote:
> > The commit was made for PHP version 5.6 and mentions CVE-2017-14107 [0].
> > However, CVE-2017-14107 is only listed for libzip in the security
> > tracker. I looked at the build log and php5 in wheezy definitely builds
> > the file that was modified in that commit. My conclusion is that php5
> > in wheezy embeds and builds a vulnerable version of libzip. Is it then
> > correct to add php5 as being affected by that CVE in data/CVE/list?
>
> Yes.
>
Thanks for confirming.
I annotated the entry for CVE-2017-14107 as affecting php5 and based on
the information that was apparently used to decide on no-DSA for that
CVE in libzip, I also marked php5 in wheezy as no-DSA for that CVE.
Regards,
-Roberto
--
Roberto C. Sánchez
Reply to: