[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Status of php-mbstring vs. libonig


I see in 'embedded-code-copies':

      - php5 5.3.2-1 (embed)

(i.e. from 2010)

Jessie seems to properly link to libonig (dependency of e.g.

Stretch and Buster however (probably since the new phpX.X-mbstring
package) do not link libonig anymore, despite build-depending on it, so
I assume the library is either statically linked, or PHP's embedded copy
is used.

There are various vulnerabilities affected libonig at the moment, some
properly reported against libonig, some against PHP (e.g.
https://bugs.php.net/bug.php?id=78559 - I just requested a CVE).

Do you know what the current situation is supposed to be?


Reply to: