Status of php-mbstring vs. libonig
I see in 'embedded-code-copies':
- php5 5.3.2-1 (embed)
(i.e. from 2010)
Jessie seems to properly link to libonig (dependency of e.g.
Stretch and Buster however (probably since the new phpX.X-mbstring
package) do not link libonig anymore, despite build-depending on it, so
I assume the library is either statically linked, or PHP's embedded copy
There are various vulnerabilities affected libonig at the moment, some
properly reported against libonig, some against PHP (e.g.
https://bugs.php.net/bug.php?id=78559 - I just requested a CVE).
Do you know what the current situation is supposed to be?