"Christoph M. Becker" in php.internals (Fri, 8 Jan 2021 11:37:38 +0100): >On 08.01.2021 at 10:28, Christian Wenz wrote: > >>> The PHP development team announces the immediate availability of PHP >>> 8.0.1. This is a security release. >> >> The release page (https://www.php.net/releases/8_0_1.php) states that it's a >> bug fix release. I assume that's correct? > >PHP 7.3.26, 7.4.14 and 8.0.1 fix CVE-2020-7071, so all three releases >are actually security releases (which also have regular bug fixes).
CVE-2020-7071 has a long history: https://bugs.php.net/bug.php?id=77423 The strange thing is that the fix was also applied to the official PHP 7.2 branch, which should not receive security fixes anymore. Would not it be better to keep these kind of security backports limited to https://github.com/microsoft/php-src/commits/PHP-7.2-Security-backports ? -- Jan -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
