[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2020-36193 php-pear vs drupal7

Morning Ola,

> Today I looked at CVE-2020-36193 since we have php-pear in dla-needed.
> Ths thing is that this CVE tells that drupal7 is also vulnerable but
> drupal7 is not in dla-needed.txt.

It may be that drupal7 was not marked as being vulnerable to
CVE-2020-36193 at the time of triage. After all, the code copy of
Tar.php (in "system.tar.inc") is very slightly hidden. I would go
ahead and add drupal7 as well -- a very quick glance suggests that it
is, indeed, vulnerable.


     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org 🍥 chris-lamb.co.uk

Reply to: