Hi,
[Please keep the BTS copied in on mails about this]
On 31/01/2021 14:16, Hamid Alaei V. wrote:
I think php is built with pcre 10.35 not 10.36.
Right, but that's nothing to do with Debian - if you got a PHP package
from Debian (or built on a Debian bullseye system), then it would be
built against the Debian package, which is fixed.
Also I tried to report to Ubuntu with their bug report tool but the tool
didn't accept it saying it isn't an official Ubuntu package or something
like that.
Yes, because 10.35-5+ubuntu18.04.1+deb.sury.org+1 is built by
deb.sury.org based on the Ubuntu version 10.35-5+ubuntu18.04.1
In Ubuntu your email was also mentioned as maintainer. I have
no access to a Debian system to check if php has bug there too, I can
only guess it is the case.
It isn't, because as I say above, Debian's PHP will be built against
Debian's pcre2 version 10.36, which is fixed.
Is there a chance that you release another 10.35 version with the
mentioned patch?
I'm afraid not - and even if I did, it wouldn't help you. I can't
control what version Ubuntu provides (I would expect them to pick up the
latest version from Debian, but they clearly haven't yet), not what
version deb.sury.org use.
To be honest I really have no idea who should fix this issue. It's too
complicated for me to figure it out. Thanks for your help anyway.
To try and summarise:
This bug does not affect Debian.
Ubuntu could update their pcre2 to match the version in Debian (or apply
the patch)
deb.sury.org could update their pcre2 to match the version in Debian (or
apply the patch); or they could wait for Ubuntu to do so and then build
off a fixed version provided by Ubuntu
I think, in fact, that the place you are mostly likely to get traction
soon is from deb.sury.org who provides the package you are complaining
about - I see you have
https://github.com/oerdnj/deb.sury.org/issues/1526 open there.
I have commented there to point out that a fixed version is available
from Debian.
I don't think there's anything more I can do to help you, and that I
should therefore close this bug (since the version in Debian is not
affected by it); do you agree?
Regards,
Matthew