Hi Gabriel,
The PHP development team announces the immediate availability of PHP
8.0.1. This is a security release.
The release page (https://www.php.net/releases/8_0_1.php) states that it's a
bug fix release. I assume that's correct?
--Christian
The PHP development team announces the immediate availability of PHP
8.0.1. This is a security release.The release page (https://www.php.net/releases/8_0_1.php) states that it's a
bug fix release. I assume that's correct?
PHP 7.3.26, 7.4.14 and 8.0.1 fix CVE-2020-7071, so all three releases
are actually security releases (which also have regular bug fixes).
Christoph
"Christoph M. Becker" in php.internals (Fri, 8 Jan 2021 11:37:38 +0100):
The PHP development team announces the immediate availability of PHP
8.0.1. This is a security release.The release page (https://www.php.net/releases/8_0_1.php) states that it's a
bug fix release. I assume that's correct?PHP 7.3.26, 7.4.14 and 8.0.1 fix CVE-2020-7071, so all three releases
are actually security releases (which also have regular bug fixes).
CVE-2020-7071 has a long history: https://bugs.php.net/bug.php?id=77423
The strange thing is that the fix was also applied to the official PHP 7.2
branch, which should not receive security fixes anymore.
Would not it be better to keep these kind of security backports limited to
https://github.com/microsoft/php-src/commits/PHP-7.2-Security-backports ?
Jan
"Christoph M. Becker" in php.internals (Fri, 8 Jan 2021 11:37:38 +0100):
The PHP development team announces the immediate availability of PHP
8.0.1. This is a security release.The release page (https://www.php.net/releases/8_0_1.php) states that it's a
bug fix release. I assume that's correct?PHP 7.3.26, 7.4.14 and 8.0.1 fix CVE-2020-7071, so all three releases
are actually security releases (which also have regular bug fixes).CVE-2020-7071 has a long history: https://bugs.php.net/bug.php?id=77423
The strange thing is that the fix was also applied to the official PHP 7.2
branch, which should not receive security fixes anymore.
That was by mistake. I don't think it doesn't really matter to have
that commit there; there won't be another release, and the tags are
still correct.
Would not it be better to keep these kind of security backports limited to
https://github.com/microsoft/php-src/commits/PHP-7.2-Security-backports ?
Well, there may be other (security) backport repos, but generally,
that's the idea.
(I should note that Microsoft does not maintain the branches in this
repo except for the PHP-5.6-security-backports-openssl11 branch.)
Christoph
The PHP development team announces the immediate availability of PHP
8.0.1. This is a security release.The release page (https://www.php.net/releases/8_0_1.php) states that it's a
bug fix release. I assume that's correct?
PHP 7.3.26, 7.4.14 and 8.0.1 fix CVE-2020-7071, so all three releases
are actually security releases (which also have regular bug fixes).
Christoph