Morning Ola, > Today I looked at CVE-2020-36193 since we have php-pear in dla-needed. > Ths thing is that this CVE tells that drupal7 is also vulnerable but > drupal7 is not in dla-needed.txt.
It may be that drupal7 was not marked as being vulnerable to CVE-2020-36193 at the time of triage. After all, the code copy of Tar.php (in "system.tar.inc") is very slightly hidden. I would go ahead and add drupal7 as well -- a very quick glance suggests that it is, indeed, vulnerable. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-