Hi, On Wed, 15 Nov 2017, Roberto C. Sánchez wrote: > The commit was made for PHP version 5.6 and mentions CVE-2017-14107 [0]. > However, CVE-2017-14107 is only listed for libzip in the security > tracker. I looked at the build log and php5 in wheezy definitely builds > the file that was modified in that commit. My conclusion is that php5 > in wheezy embeds and builds a vulnerable version of libzip. Is it then > correct to add php5 as being affected by that CVE in data/CVE/list?
Yes. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
