Welcome! Log In Create A New Profile

Advanced

[PHP-DEV] Status of our bundled liboniguruma

Posted by Christoph M. Becker 
Christoph M. Becker
[PHP-DEV] Status of our bundled liboniguruma
February 27, 2018 02:40PM
Hi!

I noticed that master bundles oniguruma 6.3.0[1], while oniguruma 6.7.1
has already been released a month ago[2]. Is there any particular
reason not to update to the latest oniguruma, or has it just been forgotten?

[1] https://github.com/php/php-src/tree/master/ext/mbstring/oniguruma
[2] https://github.com/kkos/oniguruma/releases/tag/v6.7.1

--
Christoph M. Becker

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
Anatol Belski
RE: [PHP-DEV] Status of our bundled liboniguruma
March 01, 2018 10:50AM
Hi Christoph,

> -----Original Message-----
> From: Christoph M. Becker [mailto:[email protected]]
> Sent: Tuesday, February 27, 2018 2:36 PM
> To: PHP Internals List <[email protected]>
> Subject: [PHP-DEV] Status of our bundled liboniguruma
>
> Hi!
>
> I noticed that master bundles oniguruma 6.3.0[1], while oniguruma 6.7.1 has
> already been released a month ago[2]. Is there any particular reason not to
> update to the latest oniguruma, or has it just been forgotten?
>
> [1] https://github.com/php/php-src/tree/master/ext/mbstring/oniguruma
> [2] https://github.com/kkos/oniguruma/releases/tag/v6.7.1
>
6.3.0 was the last containing CVE fixes which was also backported to PHP 5.6. It was upgraded less than a year ago, since then quite a few versions came out. For 7.3 we could for sure aim at an upgrade to the latest Oniguruma. Some behavior change could be expected according to the release notes, but IMO we'd be fine to try an upgrade before 7.3 starts the pre cycle.

Regards

Anatol
Christoph M. Becker
Re: [PHP-DEV] Status of our bundled liboniguruma
March 06, 2018 03:40PM
Hi Anatol!

On 01.03.2018 at 10:44, Anatol Belski wrote:

> Hi Christoph,
>
>> -----Original Message-----
>> From: Christoph M. Becker [mailto:[email protected]]
>> Sent: Tuesday, February 27, 2018 2:36 PM
>> To: PHP Internals List <[email protected]>
>> Subject: [PHP-DEV] Status of our bundled liboniguruma
>>
>> Hi!
>>
>> I noticed that master bundles oniguruma 6.3.0[1], while oniguruma 6.7.1 has
>> already been released a month ago[2]. Is there any particular reason not to
>> update to the latest oniguruma, or has it just been forgotten?
>>
>> [1] https://github.com/php/php-src/tree/master/ext/mbstring/oniguruma
>> [2] https://github.com/kkos/oniguruma/releases/tag/v6.7.1
>
> 6.3.0 was the last containing CVE fixes which was also backported to PHP 5.6. It was upgraded less than a year ago, since then quite a few versions came out. For 7.3 we could for sure aim at an upgrade to the latest Oniguruma. Some behavior change could be expected according to the release notes, but IMO we'd be fine to try an upgrade before 7.3 starts the pre cycle.

Thanks. I've submitted a respective PR
(https://github.com/php/php-src/pull/3175).

--
Christoph M. Becker

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
Sorry, only registered users may post in this forum.

Click here to login