On Sat, Nov 18, 2017 at 05:37:50PM +0100, Raphael Hertzog wrote: > Hi, > > On Wed, 15 Nov 2017, Roberto C. Sánchez wrote: > > The commit was made for PHP version 5.6 and mentions CVE-2017-14107 [0]. > > However, CVE-2017-14107 is only listed for libzip in the security > > tracker. I looked at the build log and php5 in wheezy definitely builds > > the file that was modified in that commit. My conclusion is that php5 > > in wheezy embeds and builds a vulnerable version of libzip. Is it then > > correct to add php5 as being affected by that CVE in data/CVE/list? > > Yes. > Thanks for confirming.
I annotated the entry for CVE-2017-14107 as affecting php5 and based on the information that was apparently used to decide on no-DSA for that CVE in libzip, I also marked php5 in wheezy as no-DSA for that CVE. Regards, -Roberto -- Roberto C. Sánchez
