Great! Thank you all for the good answers. // Ola
On Thu, 25 Feb 2021 at 10:53, Salvatore Bonaccorso <car...@debian.org> wrote: > Hi, > > On Thu, Feb 25, 2021 at 09:09:08AM +0000, Chris Lamb wrote: > > Morning Ola, > > > > > Today I looked at CVE-2020-36193 since we have php-pear in dla-needed. > > > Ths thing is that this CVE tells that drupal7 is also vulnerable but > > > drupal7 is not in dla-needed.txt. > > > > It may be that drupal7 was not marked as being vulnerable to > > CVE-2020-36193 at the time of triage. After all, the code copy of > > Tar.php (in "system.tar.inc") is very slightly hidden. I would go > > ahead and add drupal7 as well -- a very quick glance suggests that it > > is, indeed, vulnerable. > > The specifc issue was already fixed in drupal7 by Gunnar's upload in > DLA 2530-1. > > Regards, > Salvatore > -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------