The Debian stable has been fixed shortly after the new version was updated. There’s no strong security update guarantee for unstable and testing. From the security team FAQ:
> If you want to have a secure (and stable) server you are strongly encouraged > to stay with stable. Ondrej -- Ondřej Surý <ond...@sury.org> > On 11 Nov 2019, at 20:30, Alex <g...@gmx.net> wrote: > > Hi, > > PHP published a fixed version (7.3.11) before this CVE went public. Can you > please package and upload that version? > > If that is not possible, can you please at least explain in the bug report why > fixing this (pretty serious) bug is not possible at the moment? That might > attract some assistance if needed. > -- > mvg, > > Alex Hermann >
