| Summary: | PHP 7.3.26 (fixes CVE-2020-7071) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Marc Krämer <mageia> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, mageia, ouaurelien, sysadmin-bugs |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | php-7.3.23-1.mga7.src.rpm | CVE: | CVE-2020-7071 |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 28037 | ||
|
Description
Marc Krämer
2021-01-07 19:16:33 CET
Marc Krämer
2021-01-07 19:18:24 CET
Blocks:
(none) =>
28037 https://www.php.net/ChangeLog-7.php#PHP_7_3 Summary:
PHP: Security issue =>
PHP 7.3.26 (fixes CVE-2020-7071) Suggested advisory: ======================== Updated php to fix security vulnerabilities: - FILTER_VALIDATE_URL accepts URLs with invalid userinfo [1] - stream_get_contents() fails with maxlength=-1 or default References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7071 [2] https://www.php.net/ChangeLog-7.php#PHP_7_3_26 ======================== Updated packages in core/updates_testing: apache-mod_php-7.3.26-1.mga7 php-bcmath-7.3.26-1.mga7 php-bz2-7.3.26-1.mga7 php-calendar-7.3.26-1.mga7 php-cgi-7.3.26-1.mga7 php-cli-7.3.26-1.mga7 php-ctype-7.3.26-1.mga7 php-curl-7.3.26-1.mga7 php-dba-7.3.26-1.mga7 php-devel-7.3.26-1.mga7 php-doc-7.3.26-1.mga7 php-dom-7.3.26-1.mga7 php-enchant-7.3.26-1.mga7 php-exif-7.3.26-1.mga7 php-fileinfo-7.3.26-1.mga7 php-filter-7.3.26-1.mga7 php-fpm-7.3.26-1.mga7 php-fpm-apache-7.3.26-1.mga7 php-ftp-7.3.26-1.mga7 php-gd-7.3.26-1.mga7 php-gettext-7.3.26-1.mga7 php-gmp-7.3.26-1.mga7 php-iconv-7.3.26-1.mga7 php-imagick-3.4.4-1.1.mga7 php-imap-7.3.26-1.mga7 php-ini-7.3.26-1.mga7 php-interbase-7.3.26-1.mga7 php-intl-7.3.26-1.mga7 php-json-7.3.26-1.mga7 php-ldap-7.3.26-1.mga7 php-mbstring-7.3.26-1.mga7 php-mysqli-7.3.26-1.mga7 php-mysqlnd-7.3.26-1.mga7 php-odbc-7.3.26-1.mga7 php-oojs-oojs-ui-0.41.0-1.mga7 php-opcache-7.3.26-1.mga7 php-openssl-7.3.26-1.mga7 php-pcntl-7.3.26-1.mga7 php-pdo-7.3.26-1.mga7 php-pdo_dblib-7.3.26-1.mga7 php-pdo_firebird-7.3.26-1.mga7 php-pdo_mysql-7.3.26-1.mga7 php-pdo_odbc-7.3.26-1.mga7 php-pdo_pgsql-7.3.26-1.mga7 php-pdo_sqlite-7.3.26-1.mga7 php-pgsql-7.3.26-1.mga7 php-phar-7.3.26-1.mga7 php-posix-7.3.26-1.mga7 php-readline-7.3.26-1.mga7 php-recode-7.3.26-1.mga7 php-session-7.3.26-1.mga7 php-shmop-7.3.26-1.mga7 php-snmp-7.3.26-1.mga7 php-soap-7.3.26-1.mga7 php-sockets-7.3.26-1.mga7 php-sodium-7.3.26-1.mga7 php-sqlite3-7.3.26-1.mga7 php-sysvmsg-7.3.26-1.mga7 php-sysvsem-7.3.26-1.mga7 php-sysvshm-7.3.26-1.mga7 php-tidy-7.3.26-1.mga7 php-tokenizer-7.3.26-1.mga7 php-wddx-7.3.26-1.mga7 php-xml-7.3.26-1.mga7 php-xmlreader-7.3.26-1.mga7 php-xmlrpc-7.3.26-1.mga7 php-xmlwriter-7.3.26-1.mga7 php-xsl-7.3.26-1.mga7 php-zip-7.3.26-1.mga7 php-zlib-7.3.26-1.mga7 phpdbg-7.3.26-1.mga7 SRPM: php-7.3.26-1.mga7.src.rpm replace [1] with (CVE-2020-7071) in the advisory, to be clear
Marc Krämer
2021-01-08 01:55:17 CET
Assignee:
mageia =>
qa-bugs Installed and tested without issues.
Using php-fpm instead of mod_php.
Tested with various small and large scripts (e.g. wordpress, drupal, phpmyadmin, roundcubemail). Tested HTTP 1.1, HTTP 2, TLS and CLI.
System: Mageia 7, x86_64, Intel CPU.
$ uname -a
Linux marte 5.7.19-desktop-3.mga7 #1 SMP Sun Oct 18 15:46:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep php.*7.3.26 | sort
apache-mod_php-7.3.26-1.mga7
lib64php_common7-7.3.26-1.mga7
php-bz2-7.3.26-1.mga7
php-cli-7.3.26-1.mga7
php-ctype-7.3.26-1.mga7
php-curl-7.3.26-1.mga7
php-dom-7.3.26-1.mga7
php-exif-7.3.26-1.mga7
php-fileinfo-7.3.26-1.mga7
php-filter-7.3.26-1.mga7
php-fpm-7.3.26-1.mga7
php-ftp-7.3.26-1.mga7
php-gd-7.3.26-1.mga7
php-gettext-7.3.26-1.mga7
php-iconv-7.3.26-1.mga7
php-ini-7.3.26-1.mga7
php-intl-7.3.26-1.mga7
php-json-7.3.26-1.mga7
php-ldap-7.3.26-1.mga7
php-mbstring-7.3.26-1.mga7
php-mysqli-7.3.26-1.mga7
php-mysqlnd-7.3.26-1.mga7
php-openssl-7.3.26-1.mga7
php-pdo-7.3.26-1.mga7
php-pdo_mysql-7.3.26-1.mga7
php-pdo_sqlite-7.3.26-1.mga7
php-posix-7.3.26-1.mga7
php-session-7.3.26-1.mga7
php-sockets-7.3.26-1.mga7
php-sysvsem-7.3.26-1.mga7
php-sysvshm-7.3.26-1.mga7
php-tokenizer-7.3.26-1.mga7
php-xml-7.3.26-1.mga7
php-xmlreader-7.3.26-1.mga7
php-xmlwriter-7.3.26-1.mga7
php-zip-7.3.26-1.mga7
php-zlib-7.3.26-1.mga7
$ systemctl status httpd.socket php-fpm.socket httpd.service php-fpm.service
● httpd.socket - httpd server activation socket
Loaded: loaded (/usr/local/lib/systemd/system/httpd.socket; enabled; vendor preset: disabled)
Active: active (running) since Fri 2021-01-08 10:02:08 WET; 7h ago
Listen: [::]:80 (Stream)
[::]:443 (Stream)
Tasks: 0 (limit: 4684)
Memory: 92.0K
CGroup: /system.slice/httpd.socket
jan 08 10:02:08 marte systemd[1]: Listening on httpd server activation socket.
● php-fpm.socket - php-fpm Server Socket
Loaded: loaded (/usr/local/lib/systemd/system/php-fpm.socket; enabled; vendor preset: disabled)
Active: inactive (dead) since Fri 2021-01-08 15:49:08 WET; 2h 0min ago
Listen: /var/lib/php-fpm/php-fpm.sock (Stream)
jan 08 10:02:08 marte systemd[1]: Listening on php-fpm Server Socket.
jan 08 15:49:08 marte systemd[1]: php-fpm.socket: Succeeded.
jan 08 15:49:08 marte systemd[1]: Closed php-fpm Server Socket.
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
Active: active (running) since Fri 2021-01-08 15:43:14 WET; 2h 5min ago
Main PID: 11584 (httpd)
Status: "Total requests: 1031; Idle/Busy workers 100/0;Requests/sec: 0.136; Bytes served/sec: 2.6KB/sec"
Tasks: 66 (limit: 4684)
Memory: 41.9M
CGroup: /system.slice/httpd.service
├─11584 /usr/sbin/httpd -DFOREGROUND
├─11654 /usr/sbin/httpd -DFOREGROUND
└─11656 /usr/sbin/httpd -DFOREGROUND
jan 08 15:43:14 marte systemd[1]: Stopped The Apache HTTP Server.
jan 08 15:43:14 marte systemd[1]: Starting The Apache HTTP Server...
jan 08 15:43:14 marte systemd[1]: Started The Apache HTTP Server.
● php-fpm.service - The PHP FastCGI Process Manager
Loaded: loaded (/usr/lib/systemd/system/php-fpm.service; disabled; vendor preset: disabled)
Active: active (running) since Fri 2021-01-08 15:49:08 WET; 2h 0min ago
Main PID: 12968 (php-fpm)
Status: "Processes active: 0, idle: 2, Requests: 165, slow: 0, Traffic: 0req/sec"
Tasks: 3 (limit: 4684)
Memory: 57.2M
CGroup: /system.slice/php-fpm.service
├─12968 php-fpm: master process (/etc/php-fpm.conf)
├─13383 php-fpm: pool www
└─14415 php-fpm: pool www
jan 08 15:49:08 marte systemd[1]: Starting The PHP FastCGI Process Manager...
jan 08 15:49:08 marte php-fpm[12968]: [NOTICE] fpm is running, pid 12968
jan 08 15:49:08 marte php-fpm[12968]: [NOTICE] ready to handle connections
jan 08 15:49:08 marte php-fpm[12968]: [NOTICE] systemd monitor interval set to 10000ms
jan 08 15:49:08 marte systemd[1]: Started The PHP FastCGI Process Manager.CC:
(none) =>
mageia This update has been working for several days without issues. Marking it as OK for x86_64. Fell free to undo the OK if needed. Whiteboard:
(none) =>
MGA7-64-OK Validating. Advisory in Comment 2 and Comment 3. Keywords:
(none) =>
validated_update (In reply to Thomas Andrews from comment #6) > Validating. Advisory in Comment 2 and Comment 3. Already done ;) Advisory pushed to SVN. CC:
(none) =>
ouaurelien
Aurelien Oudelet
2021-01-14 14:39:13 CET
CVE:
(none) =>
CVE-2020-7071 can we push backports too? An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0025.html Status:
NEW =>
RESOLVED |