There is a disputed CVE that has received attention in the press recently, due to it being actively exploited to create a botnet called FreakOut!: https://nvd.nist.gov/vuln/detail/CVE-2021-3007 The description there says that ZendFramework is no longer maintained. We have several of these packages. Do we need to remove them all?
Priority: Normal => release_blocker
See no choice but to assign this to everybody for comment.
Assignee: bugsquad => pkg-bugs
They are not nedeed by anything so i am not against removing them.
CC: (none) => mageia
Drupal replaced all its ZendFramework dependencies by Laminas ones because ZendFramework is indeed abandoned, see: https://www.drupal.org/project/drupal/issues/3104015 So it's probably a good idea to kill it entirely before releasing Mageia 8. They can be replaced by Laminas if needed.
adding it in task obsolete.
There are some left over: php-laminas-zendframework-bridge-1.1.1-1.mga8.noarch.rpm php-zendframework-zend-console-2.8.0-2.mga8.noarch.rpm php-zendframework-zend-i18n-2.10.1-2.mga8.noarch.rpm php-zendframework-zend-json-3.1.2-2.mga8.noarch.rpm php-zendframework-zend-loader-2.6.1-2.mga8.noarch.rpm php-zendframework-zend-serializer-2.9.1-2.mga8.noarch.rpm
Ping. php-laminas-zendframework-bridge-1.1.1-1.mga8.src.rpm php-zendframework-zend-console-2.8.0-2.mga8.src.rpm php-zendframework-zend-i18n-2.10.1-2.mga8.src.rpm php-zendframework-zend-json-3.1.2-2.mga8.src.rpm php-zendframework-zend-loader-2.6.1-2.mga8.src.rpm php-zendframework-zend-serializer-2.9.1-2.mga8.src.rpm Are still present on the mirrors. Lowering the priority slightly as none of these packages are on any of the iso images. They could be removed by task-obsolete or task-null post release.
CC: (none) => davidwhodginsPriority: release_blocker => High
fixed.
Status: NEW => RESOLVEDResolution: (none) => FIXED