Yeah I realised there wasn't PHP 8 in Debian anywhere yet but referencing it is worthwhile otherwise months later someone might ask me about it and I'll go, hmm I think we fixed that.
Buster will have a debdiff to review very soon. Bullseye I have asked for the version in Sid to be unblocked in #987084 which I think is the best outcome for future maintenance. - Craig On Sat, 17 Apr 2021 at 16:37, Salvatore Bonaccorso <car...@debian.org> wrote: > Hi Craig, > > On Sat, Apr 17, 2021 at 08:32:35AM +1000, Craig Small wrote: > > Should CVE-2021-29447 [1] be also listed against this bug? I'll be > putting > > it in the changelog. > > I choosed to explicitly cover only CVE-2021-29450 with this bug > because CVE-2021-29447 while fixed as well with 5.7.1, is only a > problem with PHP8, which is not the default version for bullseye/sid. > > But clearly if you fix the issues by updating to 5.7.1 then by all > means yes list as well CVE-2021-29447 in the changelog entry. > > Thanks for your work! > > Salvatore >