“CVE-2018-5712” appears many times in PHP changelogs, which makes me confused

Question

\"CVE-2018-5712\" appears many times in PHP changelogs, which makes me confused. Could someone explain this phenomenon? Thanks.

7.2.5
7.2.1
7.1.17
7.1.13
7.0.30
         


        

Answer 1

It means that the first attempt to fix the bug (CVE-2018-5712) failed, after the first fix the security vulnerability still exists and the PHP team has to fix it again.

For example:

PHP 7.2.5

Phar:
    Fixed bug #76129 (fix for CVE-2018-5712 may not be complete). (CVE-2018-10547)

PHP 7.2.1

Phar:
    Fixed bug #74782 (Reflected XSS in .phar 404 page). (CVE-2018-5712)

Fixed bugs doesn't affect newer releases. PHP 7.4 is very new so it isn't affected by CVE-2018-xxx or CVE-2015-xxx. Generally speaking, if a version is not mentioned by CVE, then it is not affected by the CVE.

Once a bug was fixed, it wouldn't affect newer versions. There are unit tests to ensure that the new versions can avoid the fixed bugs as much as possible. If there was a mistake during development and a fixed bug appeared in newer versions, it's called a "regression bug" and must be fixed again and logged into release notes.