Le 28/03/2019 à 22:50, Stanislav Malyshev a écrit : > Hi! > > I wonder if there's any reason not to update bundled oniguruma library > for 7.1/7.2. 7.1 one is ancient, 7.2 one is more recent but still > behind. There are numerous fixes, I am sure, and one functionality > improvement that allows to implement proper stack depth limiting > (https://github.com/php/php-src/pull/3997). Which also makes it kinda > security-relevant, which is why I am considering 7.1 too. The risk of > course is that there's some kind of BC break, but I haven't heard about > something like that. Did anybody? > Another risk is that newer library requires some new code to handle some > of the new options, and if we plug it into old code it may expose new > bugs (e.g. if you use some regex feature but our code can't handle it). > Quick scan through the release notes does not show anything like that, > but in theory it's possible. > > Anybody has any thoughts on this?
7.1 have version 5.9.6
7.2 have version 6.3.0
7.3 have version 6.9.0 (latest is 6.9.1)
7.4 only use system library
As we encourage system library usage (default in 7.4), and if this raise
the minimal allowed version, this will create issue for 7.4
Ex
RHEL have 5.9
Debian have 6.1
I think we have to manage such change in a compatible way.
(feature availability tested in configure)
So, I don't think the bundled library (especially in 7.1) should be updated.
Remi
P.S. from downstream PoV, as soname is different is it possible to have
compat package for library (v5.9 uses 2, v6.1 uses 4, v6.9 uses 5)
signature.asc
Description: OpenPGP digital signature
