Yeah, I mean, it would be good if there was an actual CVE attached to the exploit, as just saying "the most severe of which could allow an attacker to execute arbitrary code" without specifying which of the bugfixes they are referring to is sort of neither here nor there. Looking cursorily at the changes in 7.2.11, none are obviously security fixes (segfault prevention is good, of course) in the vein of arbitrary code execution, but I'm also not a security expert!
We will normally do MRE (microrelease updates) of PHP (esp. in the LTS series) at a regular cadence. AFAICT, this update only came out a week ago and wasn't embargoed, etc. (so I'm really not sure it's a pressing security issue, the ISAC notwithstanding). I will try and work with the security team, but I expect this to just roll out via normal -updates otherwise. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1798625 Title: Multiple Vulnerabilities in PHP Could Allow for Arbitrary Code Execution To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php7.2/+bug/1798625/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
