"CVE-2018-5712" appears many times in PHP changelogs, which makes me confused

Question

"CVE-2018-5712" appears many times in PHP changelogs, which makes me confused. Could someone explain this phenomenon? Thanks.

7.2.5
7.2.1
7.1.17
7.1.13
7.0.30
7.0.27
5.6.36
5.6.33

https://www.php.net/ChangeLog-7.php

https://www.php.net/ChangeLog-5.php

Another question of mine has been closed by someone. So I have to modify this question to add that one below.

I can't find "CVE-2015-4603" on the PHP changelogs.

According to https://www.cvedetails.com/cve/CVE-2015-4603/, I guess it has been fixed in PHP 5.6.8. Am I right? Why doesn't the string "CVE-2015-4603" appear on the PHP changelog? How about PHP 7.0, 7.1, 7.2, 7.3, 7.4? Do they have this issue? Thanks in advance.

Answer 1

It means that the first attempt to fix the bug (CVE-2018-5712) failed, after the first fix the security vulnerability still exists and the PHP team has to fix it again.

For example:

PHP 7.2.5

Phar:
    Fixed bug #76129 (fix for CVE-2018-5712 may not be complete). (CVE-2018-10547)

PHP 7.2.1

Phar:
    Fixed bug #74782 (Reflected XSS in .phar 404 page). (CVE-2018-5712)

Fixed bugs doesn't affect newer releases. PHP 7.4 is very new so it isn't affected by CVE-2018-xxx or CVE-2015-xxx. Generally speaking, if a version is not mentioned by CVE, then it is not affected by the CVE.

Once a bug was fixed, it wouldn't affect newer versions. There are unit tests to ensure that the new versions can avoid the fixed bugs as much as possible. If there was a mistake during development and a fixed bug appeared in newer versions, it's called a "regression bug" and must be fixed again and logged into release notes.