“CVE-2018-5712” appears many times in PHP changelogs, which makes me confused

后端 未结 1 1108
半阙折子戏
半阙折子戏 2021-01-24 16:19

\"CVE-2018-5712\" appears many times in PHP changelogs, which makes me confused. Could someone explain this phenomenon? Thanks.

7.2.5
7.2.1
7.1.17
7.1.13
7.0.30
         


        
1条回答
  •  小蘑菇
    小蘑菇 (楼主)
    2021-01-24 16:59

    It means that the first attempt to fix the bug (CVE-2018-5712) failed, after the first fix the security vulnerability still exists and the PHP team has to fix it again.

    For example:

    PHP 7.2.5

    Phar:
        Fixed bug #76129 (fix for CVE-2018-5712 may not be complete). (CVE-2018-10547)
    

    PHP 7.2.1

    Phar:
        Fixed bug #74782 (Reflected XSS in .phar 404 page). (CVE-2018-5712)
    

    Fixed bugs doesn't affect newer releases. PHP 7.4 is very new so it isn't affected by CVE-2018-xxx or CVE-2015-xxx. Generally speaking, if a version is not mentioned by CVE, then it is not affected by the CVE.

    Once a bug was fixed, it wouldn't affect newer versions. There are unit tests to ensure that the new versions can avoid the fixed bugs as much as possible. If there was a mistake during development and a fixed bug appeared in newer versions, it's called a "regression bug" and must be fixed again and logged into release notes.

    0 讨论(0)
提交回复
热议问题