“CVE-2018-5712” appears many times in PHP changelogs, which makes me confused. Could someone explain this phenomenon? Thanks.
7.2.5 7.2.1 7.1.17 7.1.13 7.0.30 7.0.27 5.6.36 5.6.33
https://www.php.net/ChangeLog-7.php
https://www.php.net/ChangeLog-5.php
Another question of mine has been closed by someone. So I have to modify this question to add that one below.
I can’t find “CVE-2015-4603” on the PHP changelogs.
According to https://www.cvedetails.com/cve/CVE-2015-4603/, I guess it has been fixed in PHP 5.6.8. Am I right? Why doesn’t the string “CVE-2015-4603” appear on the PHP changelog? How about PHP 7.0, 7.1, 7.2, 7.3, 7.4? Do they have this issue? Thanks in advance.
Advertisement
Answer
It means that the first attempt to fix the bug (CVE-2018-5712) failed, after the first fix the security vulnerability still exists and the PHP team has to fix it again.
For example:
PHP 7.2.5
Phar: Fixed bug #76129 (fix for CVE-2018-5712 may not be complete). (CVE-2018-10547)
PHP 7.2.1
Phar: Fixed bug #74782 (Reflected XSS in .phar 404 page). (CVE-2018-5712)
Fixed bugs doesn’t affect newer releases. PHP 7.4 is very new so it isn’t affected by CVE-2018-xxx or CVE-2015-xxx. Generally speaking, if a version is not mentioned by CVE, then it is not affected by the CVE.
Once a bug was fixed, it wouldn’t affect newer versions. There are unit tests to ensure that the new versions can avoid the fixed bugs as much as possible. If there was a mistake during development and a fixed bug appeared in newer versions, it’s called a “regression bug” and must be fixed again and logged into release notes.