Ubuntu
php7.4 package

Overview
Code
Bugs
Blueprints
Translations
Answers

Bug #2054511
Comment #2

Comment 2 for bug 2054511

Revision history for this message

Paul McGarry (paul-paulmcgarry) wrote on 2024-02-22:

Please note the Ask Ubuntu question only goes into one particular CVE, CVE-2023-3824

There will be a bunch of others security issues in PHP 7.4 and it would be quite a lot of work to go through every PHP CVE issued since PHP 7.4 was EOL and determine whether they also effect PHP 7.4 and to backport the fix.

It would probably be a good idea for Ubuntu to review it's policies for creation of pages like:

https://ubuntu.com/security/CVE-2023-3824

Reporting "Not vulnerable" for EOL software because the version isn't specifically mentioned in the CVE is misleading as CVE policies allow CNAs to simply not report on EOL software

https://www.cve.org/Resources/General/End-of-Life-EOL-Assignment-Process.pdf

EOL software would be better classified as "Unknown" or "Probably Vulnerable - EOL"

Ubuntuphp7.4 package

Comment 2 for bug 2054511

Ubuntu
php7.4 package