Status of our bundled liboniguruma

8 years ago by Christoph M. Becker — view source — reply

unread

Hi!

I noticed that master bundles oniguruma 6.3.0[1], while oniguruma 6.7.1
has already been released a month ago[2]. Is there any particular
reason not to update to the latest oniguruma, or has it just been forgotten?

[1] https://github.com/php/php-src/tree/master/ext/mbstring/oniguruma
[2] https://github.com/kkos/oniguruma/releases/tag/v6.7.1

--
Christoph M. Becker

8 years ago by Anatol Belski — view source — reply

unread

Hi Christoph,

-----Original Message-----
From: Christoph M. Becker [mailto:cmbecker69@gmx.de]
Sent: Tuesday, February 27, 2018 2:36 PM
To: PHP Internals List internals@lists.php.net
Subject: [PHP-DEV] Status of our bundled liboniguruma

Hi!

I noticed that master bundles oniguruma 6.3.0[1], while oniguruma 6.7.1 has
already been released a month ago[2]. Is there any particular reason not to
update to the latest oniguruma, or has it just been forgotten?

[1] https://github.com/php/php-src/tree/master/ext/mbstring/oniguruma
[2] https://github.com/kkos/oniguruma/releases/tag/v6.7.1

6.3.0 was the last containing CVE fixes which was also backported to PHP 5.6. It was upgraded less than a year ago, since then quite a few versions came out. For 7.3 we could for sure aim at an upgrade to the latest Oniguruma. Some behavior change could be expected according to the release notes, but IMO we'd be fine to try an upgrade before 7.3 starts the pre cycle.

Regards

Anatol

8 years ago by Christoph M. Becker — view source — reply

unread

Hi Anatol!

Hi Christoph,

-----Original Message-----
From: Christoph M. Becker [mailto:cmbecker69@gmx.de]
Sent: Tuesday, February 27, 2018 2:36 PM
To: PHP Internals List internals@lists.php.net
Subject: [PHP-DEV] Status of our bundled liboniguruma

Hi!

I noticed that master bundles oniguruma 6.3.0[1], while oniguruma 6.7.1 has
already been released a month ago[2]. Is there any particular reason not to
update to the latest oniguruma, or has it just been forgotten?

[1] https://github.com/php/php-src/tree/master/ext/mbstring/oniguruma
[2] https://github.com/kkos/oniguruma/releases/tag/v6.7.1

6.3.0 was the last containing CVE fixes which was also backported to PHP 5.6. It was upgraded less than a year ago, since then quite a few versions came out. For 7.3 we could for sure aim at an upgrade to the latest Oniguruma. Some behavior change could be expected according to the release notes, but IMO we'd be fine to try an upgrade before 7.3 starts the pre cycle.

Thanks. I've submitted a respective PR
(https://github.com/php/php-src/pull/3175).

--
Christoph M. Becker