Hi, > On 25 Nov 2019, at 15:20, Salvatore Bonaccorso <car...@debian.org> wrote: > > Hi, > > On Mon, Nov 25, 2019 at 11:50:00AM +0100, Sylvain Beucler wrote: >> Hi, >> >> On 22/11/2019 21:23, Sylvain Beucler wrote: >>> I see in 'embedded-code-copies': >>> >>> libonig >>> - php5 5.3.2-1 (embed) >>> >>> (i.e. from 2010) >>> >>> Jessie seems to properly link to libonig (dependency of e.g. >>> libapache2-mod-php5). >>> >>> Stretch and Buster however (probably since the new phpX.X-mbstring >>> package) do not link libonig anymore, despite build-depending on it, so >>> I assume the library is either statically linked, or PHP's embedded copy >>> is used. >>> >>> There are various vulnerabilities affected libonig at the moment, some >>> properly reported against libonig, some against PHP (e.g. >>> https://bugs.php.net/bug.php?id=78559 - I just requested a CVE). >>> >>> Do you know what the current situation is supposed to be? >> >> Ping? >> >> AFAICS there's no --with-onig in the build process which means PHP is >> using an embedded copy of libonig for Stretch & Buster. >> >> Should I file a bug against php7.0&php7.3 to clarify? > > This seem to have been an explicit decision in e4ca1ccf8cd0 ("Disable > all extensions with --disable-all and remove the various configure > options related to disabling the extensions")[1] apparently in > debian/7.0.0_rc1-1. Can you try to clarify with the maintainer? > > [1] > https://salsa.debian.org/php-team/php/commit/e4ca1ccf8cd09016d8cc6f321d2e6b6702f66089 > > Regards, > Salvatore >
signature.asc
Description: Message signed with OpenPGP
