Hi, On 22/11/2019 21:23, Sylvain Beucler wrote: > I see in 'embedded-code-copies': > > libonig > - php5 5.3.2-1 (embed) > > (i.e. from 2010) > > Jessie seems to properly link to libonig (dependency of e.g. > libapache2-mod-php5). > > Stretch and Buster however (probably since the new phpX.X-mbstring > package) do not link libonig anymore, despite build-depending on it, so > I assume the library is either statically linked, or PHP's embedded copy > is used. > > There are various vulnerabilities affected libonig at the moment, some > properly reported against libonig, some against PHP (e.g. > https://bugs.php.net/bug.php?id=78559 - I just requested a CVE). > > Do you know what the current situation is supposed to be?
Ping? AFAICS there's no --with-onig in the build process which means PHP is using an embedded copy of libonig for Stretch & Buster. Should I file a bug against php7.0&php7.3 to clarify? Cheers! Sylvain
