On 09.01.2021 at 21:31, Jan Ehrhardt wrote: > "Christoph M. Becker" in php.internals (Fri, 8 Jan 2021 11:37:38 +0100): > >> On 08.01.2021 at 10:28, Christian Wenz wrote: >> >>>> The PHP development team announces the immediate availability of PHP >>>> 8.0.1. This is a security release. >>> >>> The release page (https://www.php.net/releases/8_0_1.php) states that it's a >>> bug fix release. I assume that's correct? >> >> PHP 7.3.26, 7.4.14 and 8.0.1 fix CVE-2020-7071, so all three releases >> are actually security releases (which also have regular bug fixes). > > CVE-2020-7071 has a long history: https://bugs.php.net/bug.php?id=77423 > The strange thing is that the fix was also applied to the official PHP 7.2 > branch, which should not receive security fixes anymore.
That was by mistake. I don't think it doesn't really matter to have that commit there; there won't be another release, and the tags are still correct. > Would not it be better to keep these kind of security backports limited to > https://github.com/microsoft/php-src/commits/PHP-7.2-Security-backports ? Well, there may be other (security) backport repos, but generally, that's the idea. (I should note that Microsoft does not maintain the branches in this repo except for the PHP-5.6-security-backports-openssl11 branch.) Christoph -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
