Re: Status of php-mbstring vs. libonig
Hi,
On 22/11/2019 21:23, Sylvain Beucler wrote:
> I see in 'embedded-code-copies':
>
> libonig
> - php5 5.3.2-1 (embed)
>
> (i.e. from 2010)
>
> Jessie seems to properly link to libonig (dependency of e.g.
> libapache2-mod-php5).
>
> Stretch and Buster however (probably since the new phpX.X-mbstring
> package) do not link libonig anymore, despite build-depending on it, so
> I assume the library is either statically linked, or PHP's embedded copy
> is used.
>
> There are various vulnerabilities affected libonig at the moment, some
> properly reported against libonig, some against PHP (e.g.
> https://bugs.php.net/bug.php?id=78559 - I just requested a CVE).
>
> Do you know what the current situation is supposed to be?
Ping?
AFAICS there's no --with-onig in the build process which means PHP is
using an embedded copy of libonig for Stretch & Buster.
Should I file a bug against php7.0&php7.3 to clarify?
Cheers!
Sylvain
Reply to: