Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:112822
Return-Path: <phpdev@ehrhardt.nl>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 46433 invoked from network); 9 Jan 2021 20:54:13 -0000
Received: from unknown (HELO localhost.localdomain) (76.75.200.58)
  by pb1.pair.com with SMTP; 9 Jan 2021 20:54:13 -0000
To: internals@lists.php.net
Date: Sat, 09 Jan 2021 21:31:30 +0100
Message-ID: <8t3kvf9rkgjbfcjbmi6q6cs1vorc4rrbjm@4ax.com>
References: <00ea01d6e5a0$9ff61140$dfe233c0$@wenz.org> <670b7b77-3a39-5276-7ee3-24d3333881e2@arcor.de>
X-Newsreader: Forte Agent 3.3/32.846
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Posted-By: 62.251.31.78
Subject: Re: PHP 8.0.1 Released!
From: phpdev@ehrhardt.nl (Jan Ehrhardt)

"Christoph M. Becker" in php.internals (Fri, 8 Jan 2021 11:37:38 +0100):
>On 08.01.2021 at 10:28, Christian Wenz wrote:
>
>>> The PHP development team announces the immediate availability of PHP 
>>> 8.0.1. This is a security release.
>> 
>> The release page (https://www.php.net/releases/8_0_1.php) states that it's a
>> bug fix release. I assume that's correct?
>
>PHP 7.3.26, 7.4.14 and 8.0.1 fix CVE-2020-7071, so all three releases
>are actually security releases (which also have regular bug fixes).

CVE-2020-7071 has a long history: https://bugs.php.net/bug.php?id=77423 
The strange thing is that the fix was also applied to the official PHP 7.2
branch, which should not receive security fixes anymore.

Would not it be better to keep these kind of security backports limited to
https://github.com/microsoft/php-src/commits/PHP-7.2-Security-backports ?
-- 
Jan