[ALSA-2020:3662] Moderate: php:7.3 security, bug fix, and enhancement update
Type:
security
Severity:
moderate
Release date:
2020-09-08
Description:
PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. The following packages have been upgraded to a later upstream version: php (7.3.20). (BZ#1856655) Security Fix(es): * php: Out-of-bounds read due to integer overflow in iconv_mime_decode_headers() (CVE-2019-11039) * php: Buffer over-read in exif_read_data() (CVE-2019-11040) * php: DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte (CVE-2019-11045) * php: Information disclosure in exif_read_data() (CVE-2019-11047) * php: Integer wraparounds when receiving multipart forms (CVE-2019-11048) * oniguruma: Use-after-free in onig_new_deluxe() in regext.c (CVE-2019-13224) * oniguruma: NULL pointer dereference in match_at() in regexec.c (CVE-2019-13225) * oniguruma: Stack exhaustion in regcomp.c because of recursion in regparse.c (CVE-2019-16163) * oniguruma: Heap-based buffer over-read in function gb18030_mbc_enc_len in file gb18030.c (CVE-2019-19203) * oniguruma: Heap-based buffer over-read in function fetch_interval_quantifier in regparse.c (CVE-2019-19204) * pcre: Out of bounds read in JIT mode when \X is used in non-UTF mode (CVE-2019-20454) * php: Out of bounds read in php_strip_tags_ex (CVE-2020-7059) * php: Global buffer-overflow in mbfl_filt_conv_big5_wchar function (CVE-2020-7060) * php: NULL pointer dereference in PHP session upload progress (CVE-2020-7062) * php: Files added to tar with Phar::buildFromIterator have all-access permissions (CVE-2020-7063) * php: Information disclosure in exif_read_data() function (CVE-2020-7064) * php: Using mb_strtolower() function with UTF-32LE encoding leads to potential code execution (CVE-2020-7065) * php: Heap buffer over-read in exif_scan_thumbnail() (CVE-2019-11041) * php: Heap buffer over-read in exif_process_user_comment() (CVE-2019-11042) * php: Out of bounds read when parsing EXIF information (CVE-2019-11050) * oniguruma: Heap-based buffer overflow in str_lower_case_match in regexec.c (CVE-2019-19246) * php: Information disclosure in function get_headers (CVE-2020-7066) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Updated packages:
  • apcu-panel-5.1.17-1.module_el8.3.0+2009+b272fdef.noarch.rpm
  • libzip-1.5.2-1.module_el8.3.0+2009+b272fdef.x86_64.rpm
  • libzip-devel-1.5.2-1.module_el8.3.0+2009+b272fdef.x86_64.rpm
  • libzip-tools-1.5.2-1.module_el8.3.0+2009+b272fdef.x86_64.rpm
  • php-7.3.20-1.module_el8.3.0+2009+b272fdef.x86_64.rpm
  • php-bcmath-7.3.20-1.module_el8.3.0+2009+b272fdef.x86_64.rpm
  • php-cli-7.3.20-1.module_el8.3.0+2009+b272fdef.x86_64.rpm
  • php-common-7.3.20-1.module_el8.3.0+2009+b272fdef.x86_64.rpm
  • php-dba-7.3.20-1.module_el8.3.0+2009+b272fdef.x86_64.rpm
  • php-dbg-7.3.20-1.module_el8.3.0+2009+b272fdef.x86_64.rpm
  • php-devel-7.3.20-1.module_el8.3.0+2009+b272fdef.x86_64.rpm
  • php-embedded-7.3.20-1.module_el8.3.0+2009+b272fdef.x86_64.rpm
  • php-enchant-7.3.20-1.module_el8.3.0+2009+b272fdef.x86_64.rpm
  • php-fpm-7.3.20-1.module_el8.3.0+2009+b272fdef.x86_64.rpm
  • php-gd-7.3.20-1.module_el8.3.0+2009+b272fdef.x86_64.rpm
  • php-gmp-7.3.20-1.module_el8.3.0+2009+b272fdef.x86_64.rpm
  • php-intl-7.3.20-1.module_el8.3.0+2009+b272fdef.x86_64.rpm
  • php-json-7.3.20-1.module_el8.3.0+2009+b272fdef.x86_64.rpm
  • php-ldap-7.3.20-1.module_el8.3.0+2009+b272fdef.x86_64.rpm
  • php-mbstring-7.3.20-1.module_el8.3.0+2009+b272fdef.x86_64.rpm
  • php-mysqlnd-7.3.20-1.module_el8.3.0+2009+b272fdef.x86_64.rpm
  • php-odbc-7.3.20-1.module_el8.3.0+2009+b272fdef.x86_64.rpm
  • php-opcache-7.3.20-1.module_el8.3.0+2009+b272fdef.x86_64.rpm
  • php-pdo-7.3.20-1.module_el8.3.0+2009+b272fdef.x86_64.rpm
  • php-pear-1.10.9-1.module_el8.3.0+2009+b272fdef.noarch.rpm
  • php-pecl-apcu-5.1.17-1.module_el8.3.0+2009+b272fdef.x86_64.rpm
  • php-pecl-apcu-devel-5.1.17-1.module_el8.3.0+2009+b272fdef.x86_64.rpm
  • php-pecl-rrd-2.0.1-1.module_el8.3.0+2009+b272fdef.x86_64.rpm
  • php-pecl-xdebug-2.8.0-1.module_el8.3.0+2009+b272fdef.x86_64.rpm
  • php-pecl-zip-1.15.4-1.module_el8.3.0+2009+b272fdef.x86_64.rpm
  • php-pgsql-7.3.20-1.module_el8.3.0+2009+b272fdef.x86_64.rpm
  • php-process-7.3.20-1.module_el8.3.0+2009+b272fdef.x86_64.rpm
  • php-recode-7.3.20-1.module_el8.3.0+2009+b272fdef.x86_64.rpm
  • php-snmp-7.3.20-1.module_el8.3.0+2009+b272fdef.x86_64.rpm
  • php-soap-7.3.20-1.module_el8.3.0+2009+b272fdef.x86_64.rpm
  • php-xml-7.3.20-1.module_el8.3.0+2009+b272fdef.x86_64.rpm
  • php-xmlrpc-7.3.20-1.module_el8.3.0+2009+b272fdef.x86_64.rpm
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the AlmaLinux Packaging Team.