Please note the Ask Ubuntu question only goes into one particular CVE, CVE-2023-3824
There will be a bunch of others security issues in PHP 7.4 and it would be quite a lot of work to go through every PHP CVE issued since PHP 7.4 was EOL and determine whether they also effect PHP 7.4 and to backport the fix.
It would probably be a good idea for Ubuntu to review it's policies for creation of pages like:
Reporting "Not vulnerable" for EOL software because the version isn't specifically mentioned in the CVE is misleading as CVE policies allow CNAs to simply not report on EOL software
Please note the Ask Ubuntu question only goes into one particular CVE, CVE-2023-3824
There will be a bunch of others security issues in PHP 7.4 and it would be quite a lot of work to go through every PHP CVE issued since PHP 7.4 was EOL and determine whether they also effect PHP 7.4 and to backport the fix.
It would probably be a good idea for Ubuntu to review it's policies for creation of pages like:
https:/ /ubuntu. com/security/ CVE-2023- 3824
Reporting "Not vulnerable" for EOL software because the version isn't specifically mentioned in the CVE is misleading as CVE policies allow CNAs to simply not report on EOL software
https:/ /www.cve. org/Resources/ General/ End-of- Life-EOL- Assignment- Process. pdf
EOL software would be better classified as "Unknown" or "Probably Vulnerable - EOL"