Hello,
On 08/10/2021 10:54, Radoslav Bodó wrote:
I'm not sure how to properly escalate this bugreport, but I guess it's
worth of at least of fast acknowledgement
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995871
You could upgrade the severity to 'grave', add the 'security' tag for
this bug, and add a rationale on when 'disable_functions' is used as a
first-level security protection.
Though the most effective way to trigger the security workflow would be
to get PHP Group to issue a CVE for this. They may plan to do so when
they release a new fixed version themselves.
Thanks for the info.
Cheers!
Sylvain Beucler
Debian LTS Team
