currently CVE-2020-7067 on handling bad chars
CVE: (none) => CVE-2020-7067QA Contact: (none) => securityComponent: RPM Packages => Security
Updated php packages fix security vulnerabilities: - OOB Read in urldecode() [1] - Integer Overflow in shmop_open() Noteable changes: - Opcache chokes and uses 100% CPU on specific script - curl_copy_handle() memory leak - ZipArchive::open fails on empty file References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7067 https://www.php.net/ChangeLog-7.php#7.3.17 ======================== Updated packages in core/updates_testing: ======================== php-ini-7.3.17-1.mga7 apache-mod_php-7.3.17-1.mga7 php-cli-7.3.17-1.mga7 php-cgi-7.3.17-1.mga7 libphp_common7-7.3.17-1.mga7 php-devel-7.3.17-1.mga7 php-openssl-7.3.17-1.mga7 php-zlib-7.3.17-1.mga7 php-doc-7.3.17-1.mga7 php-bcmath-7.3.17-1.mga7 php-bz2-7.3.17-1.mga7 php-calendar-7.3.17-1.mga7 php-ctype-7.3.17-1.mga7 php-curl-7.3.17-1.mga7 php-dba-7.3.17-1.mga7 php-dom-7.3.17-1.mga7 php-enchant-7.3.17-1.mga7 php-exif-7.3.17-1.mga7 php-fileinfo-7.3.17-1.mga7 php-filter-7.3.17-1.mga7 php-ftp-7.3.17-1.mga7 php-gd-7.3.17-1.mga7 php-gettext-7.3.17-1.mga7 php-gmp-7.3.17-1.mga7 php-hash-7.3.17-1.mga7 php-iconv-7.3.17-1.mga7 php-imap-7.3.17-1.mga7 php-interbase-7.3.17-1.mga7 php-intl-7.3.17-1.mga7 php-json-7.3.17-1.mga7 php-ldap-7.3.17-1.mga7 php-mbstring-7.3.17-1.mga7 php-mysqli-7.3.17-1.mga7 php-mysqlnd-7.3.17-1.mga7 php-odbc-7.3.17-1.mga7 php-opcache-7.3.17-1.mga7 php-pcntl-7.3.17-1.mga7 php-pdo-7.3.17-1.mga7 php-pdo_dblib-7.3.17-1.mga7 php-pdo_firebird-7.3.17-1.mga7 php-pdo_mysql-7.3.17-1.mga7 php-pdo_odbc-7.3.17-1.mga7 php-pdo_pgsql-7.3.17-1.mga7 php-pdo_sqlite-7.3.17-1.mga7 php-pgsql-7.3.17-1.mga7 php-phar-7.3.17-1.mga7 php-posix-7.3.17-1.mga7 php-readline-7.3.17-1.mga7 php-recode-7.3.17-1.mga7 php-session-7.3.17-1.mga7 php-shmop-7.3.17-1.mga7 php-snmp-7.3.17-1.mga7 php-soap-7.3.17-1.mga7 php-sockets-7.3.17-1.mga7 php-sodium-7.3.17-1.mga7 php-sqlite3-7.3.17-1.mga7 php-sysvmsg-7.3.17-1.mga7 php-sysvsem-7.3.17-1.mga7 php-sysvshm-7.3.17-1.mga7 php-tidy-7.3.17-1.mga7 php-tokenizer-7.3.17-1.mga7 php-xml-7.3.17-1.mga7 php-xmlreader-7.3.17-1.mga7 php-xmlrpc-7.3.17-1.mga7 php-xmlwriter-7.3.17-1.mga7 php-xsl-7.3.17-1.mga7 php-wddx-7.3.17-1.mga7 php-zip-7.3.17-1.mga7 php-fpm-7.3.17-1.mga7 phpdbg-7.3.17-1.mga7 php-debugsource-7.3.17-1.mga7 php-debuginfo-7.3.17-1.mga7 apache-mod_php-debuginfo-7.3.17-1.mga7 php-cli-debuginfo-7.3.17-1.mga7 php-cgi-debuginfo-7.3.17-1.mga7 libphp_common7-debuginfo-7.3.17-1.mga7 php-openssl-debuginfo-7.3.17-1.mga7 php-zlib-debuginfo-7.3.17-1.mga7 php-bcmath-debuginfo-7.3.17-1.mga7 php-bz2-debuginfo-7.3.17-1.mga7 php-calendar-debuginfo-7.3.17-1.mga7 php-ctype-debuginfo-7.3.17-1.mga7 php-curl-debuginfo-7.3.17-1.mga7 php-dba-debuginfo-7.3.17-1.mga7 php-dom-debuginfo-7.3.17-1.mga7 php-enchant-debuginfo-7.3.17-1.mga7 php-exif-debuginfo-7.3.17-1.mga7 php-fileinfo-debuginfo-7.3.17-1.mga7 php-filter-debuginfo-7.3.17-1.mga7 php-ftp-debuginfo-7.3.17-1.mga7 php-gd-debuginfo-7.3.17-1.mga7 php-gettext-debuginfo-7.3.17-1.mga7 php-gmp-debuginfo-7.3.17-1.mga7 php-hash-debuginfo-7.3.17-1.mga7 php-iconv-debuginfo-7.3.17-1.mga7 php-imap-debuginfo-7.3.17-1.mga7 php-interbase-debuginfo-7.3.17-1.mga7 php-intl-debuginfo-7.3.17-1.mga7 php-json-debuginfo-7.3.17-1.mga7 php-ldap-debuginfo-7.3.17-1.mga7 php-mbstring-debuginfo-7.3.17-1.mga7 php-mysqli-debuginfo-7.3.17-1.mga7 php-mysqlnd-debuginfo-7.3.17-1.mga7 php-odbc-debuginfo-7.3.17-1.mga7 php-opcache-debuginfo-7.3.17-1.mga7 php-pcntl-debuginfo-7.3.17-1.mga7 php-pdo-debuginfo-7.3.17-1.mga7 php-pdo_dblib-debuginfo-7.3.17-1.mga7 php-pdo_firebird-debuginfo-7.3.17-1.mga7 php-pdo_mysql-debuginfo-7.3.17-1.mga7 php-pdo_odbc-debuginfo-7.3.17-1.mga7 php-pdo_pgsql-debuginfo-7.3.17-1.mga7 php-pdo_sqlite-debuginfo-7.3.17-1.mga7 php-pgsql-debuginfo-7.3.17-1.mga7 php-phar-debuginfo-7.3.17-1.mga7 php-posix-debuginfo-7.3.17-1.mga7 php-readline-debuginfo-7.3.17-1.mga7 php-recode-debuginfo-7.3.17-1.mga7 php-session-debuginfo-7.3.17-1.mga7 php-shmop-debuginfo-7.3.17-1.mga7 php-snmp-debuginfo-7.3.17-1.mga7 php-soap-debuginfo-7.3.17-1.mga7 php-sockets-debuginfo-7.3.17-1.mga7 php-sodium-debuginfo-7.3.17-1.mga7 php-sqlite3-debuginfo-7.3.17-1.mga7 php-sysvmsg-debuginfo-7.3.17-1.mga7 php-sysvsem-debuginfo-7.3.17-1.mga7 php-sysvshm-debuginfo-7.3.17-1.mga7 php-tidy-debuginfo-7.3.17-1.mga7 php-tokenizer-debuginfo-7.3.17-1.mga7 php-xml-debuginfo-7.3.17-1.mga7 php-xmlreader-debuginfo-7.3.17-1.mga7 php-xmlrpc-debuginfo-7.3.17-1.mga7 php-xmlwriter-debuginfo-7.3.17-1.mga7 php-xsl-debuginfo-7.3.17-1.mga7 php-wddx-debuginfo-7.3.17-1.mga7 php-zip-debuginfo-7.3.17-1.mga7 php-fpm-debuginfo-7.3.17-1.mga7 phpdbg-debuginfo-7.3.17-1.mga7 SRPM: php-7.3.17-1.mga7.src.rpm
Assignee: bugsquad => qa-bugs
Installed and tested without issues. Tested with various large scripts (wordpress, phpmyadmin, roundcubemail, drupal and others) using HTTP(S) and CLI. System: Mageia 7, x86_64, Intel CPU. $ uname -a Linux marte 5.5.15-desktop-3.mga7 #1 SMP Sat Apr 4 19:06:09 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep php.*7.3.17 | sort apache-mod_php-7.3.17-1.mga7 lib64php_common7-7.3.17-1.mga7 php-bz2-7.3.17-1.mga7 php-cli-7.3.17-1.mga7 php-ctype-7.3.17-1.mga7 php-curl-7.3.17-1.mga7 php-dom-7.3.17-1.mga7 php-exif-7.3.17-1.mga7 php-fileinfo-7.3.17-1.mga7 php-filter-7.3.17-1.mga7 php-fpm-7.3.17-1.mga7 php-ftp-7.3.17-1.mga7 php-gd-7.3.17-1.mga7 php-gettext-7.3.17-1.mga7 php-hash-7.3.17-1.mga7 php-iconv-7.3.17-1.mga7 php-ini-7.3.17-1.mga7 php-intl-7.3.17-1.mga7 php-json-7.3.17-1.mga7 php-ldap-7.3.17-1.mga7 php-mbstring-7.3.17-1.mga7 php-mysqli-7.3.17-1.mga7 php-mysqlnd-7.3.17-1.mga7 php-openssl-7.3.17-1.mga7 php-pdo-7.3.17-1.mga7 php-pdo_mysql-7.3.17-1.mga7 php-pdo_sqlite-7.3.17-1.mga7 php-pgsql-7.3.17-1.mga7 php-posix-7.3.17-1.mga7 php-session-7.3.17-1.mga7 php-sockets-7.3.17-1.mga7 php-sysvsem-7.3.17-1.mga7 php-sysvshm-7.3.17-1.mga7 php-tokenizer-7.3.17-1.mga7 php-xml-7.3.17-1.mga7 php-xmlreader-7.3.17-1.mga7 php-xmlwriter-7.3.17-1.mga7 php-zip-7.3.17-1.mga7 php-zlib-7.3.17-1.mga7
CC: (none) => mageia
MGA7-64 Plasma on Lenoovo B50 No installation issues Ref bug 26365 for testing. $ php -r 'phpinfo();' | more phpinfo() PHP Version => 7.3.17 System => Linux mach5.hviaene.thuis 5.5.15-desktop-2.mga7 #1 SMP Sat Apr 4 00:09:11 UTC 2020 x86_64 Build Date => Apr 16 2020 10:26:47 Configure Command => './configure' '--with-apxs2=/usr/bin/apxs' '--with-pic' '-- and loads more ...... Fooled around with phomyadmin: all seems to work OK
CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OKCC: (none) => lists.jjorge
Thanks for the tests, guys, and for the OK, Jose. Validating. Advisory information in Comment 1.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0178.html
Status: NEW => RESOLVEDResolution: (none) => FIXED