Hi, PHP published a fixed version (7.3.11) before this CVE went public. Can you please package and upload that version?
If that is not possible, can you please at least explain in the bug report why fixing this (pretty serious) bug is not possible at the moment? That might attract some assistance if needed. -- mvg, Alex Hermann
