Hi Christoph, > -----Original Message----- > From: Christoph M. Becker [mailto:cmbecke...@gmx.de] > Sent: Tuesday, February 27, 2018 2:36 PM > To: PHP Internals List <internals@lists.php.net> > Subject: [PHP-DEV] Status of our bundled liboniguruma > > Hi! > > I noticed that master bundles oniguruma 6.3.0[1], while oniguruma 6.7.1 has > already been released a month ago[2]. Is there any particular reason not to > update to the latest oniguruma, or has it just been forgotten? > > [1] <https://github.com/php/php-src/tree/master/ext/mbstring/oniguruma> > [2] <https://github.com/kkos/oniguruma/releases/tag/v6.7.1> > 6.3.0 was the last containing CVE fixes which was also backported to PHP 5.6. It was upgraded less than a year ago, since then quite a few versions came out. For 7.3 we could for sure aim at an upgrade to the latest Oniguruma. Some behavior change could be expected according to the release notes, but IMO we'd be fine to try an upgrade before 7.3 starts the pre cycle.
Regards Anatol
