Marc
Thanks for this mammoth update.
You say it is a Backport (which means users have to hunt for it explicitly in Backports); why not a straight update (which happens routinely) ?
The current M7 version is 'php-7.3.21-2.mga7.src.rpm'
If it is in fact a normal update of PHP, it will need an Advisory; and assigning to QA - both of which I can do.

CC: (none) => lewyssmith

Hi Lewis,
we already have php-7.4.8 in backports. php-7.3.x is still supported and maintained. So from mga policy we don't have a regular update to php-7.4. But the changes for programmers (e.g. typed properties) are very interesting, they move on and ask for php 7.4 installations. MGA8 will at least have php 7.4, or 8 if it is published after november. So for many php users this backport is a good step in between those releases.

Thank you for this explanation. So, this 7.4.10-3 Backport is a non-essential advance, but interested programmers will seek it out.
(Mageia 8 is currently at php-7.4.10-2.mga8.src.rpm).

Assigning thus to QA (I think this is where backport land up).

CC: lewyssmith => (none)
Assignee: bugsquad => qa-bugs
Source RPM: php => php-7.4.10-3.mga7

MGA7-64 Plasma on Lenovo B50.
When selecting php-fpm-apache
I get:
Sorry, the following package cannot be selected:

- php-fpm-apache-7.4.10-3.mga7.x86_64 (due to conflicts with apache-mod_php-7.4.10-3.mga7.x86_64).
Cpntinuing anyway.

CC: (none) => herman.viaene

$ php -r 'phpinfo();' | more
PHP Warning:  PHP Startup: apcu: Unable to initialize module
Module compiled with module API=20180731
PHP    compiled with module API=20190902
These options need to match
 in Unknown on line 0
phpinfo()
PHP Version => 7.4.10

System => Linux mach5.hviaene.thuis 5.7.19-desktop-1.mga7 #1 SMP Thu Aug 27 20:27:55 UTC 2020 x86_64
Build Date => Sep  5 2020 10:12:43
Configure Command =>  './configure'  '--with-apxs2=/usr/bin/apxs' '--with-pic' '--build=x86_64-mageia-linux-gnu' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bi
n' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var
/lib' '--mandir=/usr/share/man' '--enable-shared=yes' '--enable-static=no' '--disable-debug' '--enable-bcmath=shared' '--enable-calendar=shared' '--enable-ctype=shared
' '--enable-dba=shared' '--enable-dom=shared,/usr' '--enable-exif=shared' '--enable-fileinfo=shared' '--enable-filter=shared' '--enable-ftp=shared' '--enable-gd=shared
' '--enable-inline-optimization' '--enable-intl=shared' '--enable-json=shared' ' etc ........

Used phpmyadmin to test: all seems OK.

Since no further reaction OK then.

Whiteboard: (none) => MGA7-64-OK

Not OK
https://www.php.net/ChangeLog-7.php#7.4.11

Version 7.4.11
01 Oct 2020

    Core:
        Fixed bug #79699 (PHP parses encoded cookie names so malicious `__Host-` cookies can be sent). (CVE-2020-7070)

This is already fixed in Bugs 27239 php-7.3.23 for Mageia 7.


We cannot ship backports without security fix.
Should look also Cauldron.
Reassigning back to maintainer.

Keywords: validated_backport => Security
Assignee: qa-bugs => mageia
Whiteboard: MGA7-64-OK => (none)
QA Contact: qa-bugs => (none)

"We cannot ship backports without security fix."
???
What do you mean??? php 7.4 is already in backports, and this is a security fix for the version in backports. It contains the security fixes from 7.4.8 to 7.4.11!

And according to our rules, we DON'T have update advisories for backports (still I don't know why). But this was told many times, as I was asking!

Assignee: mageia => qa-bugs

Fixed Issues as follows: including 3 CVE's

7.4.9:
06 Aug 2020
Apache:
Fixed bug #79030 (Upgrade apache2handler's php_apache_sapi_get_request_time to return usec).
COM:
Fixed bug #63208 (BSTR to PHP string conversion not binary safe).
Fixed bug #63527 (DCOM does not work with Username, Password parameter).
Core:
Fixed bug #79740 (serialize() and unserialize() methods can not be called statically).
Fixed bug #79783 (Segfault in php_str_replace_common).
Fixed bug #79778 (Assertion failure if dumping closure with unresolved static variable).
Fixed bug #79779 (Assertion failure when assigning property of string offset by reference).
Fixed bug #79792 (HT iterators not removed if empty array is destroyed).
Fixed bug #78598 (Changing array during undef index RW error segfaults).
Fixed bug #79784 (Use after free if changing array during undef var during array write fetch).
Fixed bug #79793 (Use after free if string used in undefined index warning is changed).
Fixed bug #79862 (Public non-static property in child should take priority over private static).
Fixed bug #79877 (getimagesize function silently truncates after a null byte) (cmb)
Fileinfo:
Fixed bug #79756 (finfo_file crash (FILEINFO_MIME)).
FTP:
Fixed bug #55857 (ftp_size on large files).
Mbstring:
Fixed bug #79787 (mb_strimwidth does not trim string).
Phar:
Fixed bug #79797 (Use of freed hash key in the phar_parse_zipfile function). (CVE-2020-7068)
Reflection:
Fixed bug #79487 (::getStaticProperties() ignores property modifications).
Fixed bug #69804 (::getStaticPropertyValue() throws on protected props).
Fixed bug #79820 (Use after free when type duplicated into ReflectionProperty gets resolved).
Standard:
Fixed bug #70362 (Can't copy() large 'data://' with open_basedir).
Fixed bug #78008 (dns_check_record() always return true on Alpine).
Fixed bug #79839 (array_walk() does not respect property types).


7.4.10:
03 Sep 2020
Core:
Fixed bug #79884 (PHP_CONFIG_FILE_PATH is meaningless).
Fixed bug #77932 (File extensions are case-sensitive).
Fixed bug #79806 (realpath() erroneously resolves link to link).
Fixed bug #79895 (PHP_CHECK_GCC_ARG does not allow flags with equal sign).
Fixed bug #79919 (Stack use-after-scope in define()).
Fixed bug #79934 (CRLF-only line in heredoc causes parsing error).
Fixed bug #79947 (Memory leak on invalid offset type in compound assignment).
COM:
Fixed bug #48585 (com_load_typelib holds reference, fails on second call).
Exif:
Fixed bug #75785 (Many errors from exif_read_data).
Gettext:
Fixed bug #70574 (Tests fail due to relying on Linux fallback behavior for gettext()).
LDAP:
Fixed memory leaks.
OPcache:
Fixed bug #73060 (php failed with error after temp folder cleaned up).
Fixed bug #79917 (File cache segfault with a static variable in inherited method).
PDO:
Fixed bug #64705 (errorInfo property of PDOException is null when PDO::__construct() fails).
Session:
Fixed bug #79724 (Return type does not match in ext/session/mod_mm.c).
Standard:
Fixed bug #79930 (array_merge_recursive() crashes when called with array with single reference).
Fixed bug #79944 (getmxrr always returns true on Alpine linux).
Fixed bug #79951 (Memory leak in str_replace of empty string).
XML:
Fixed bug #79922 (Crash after multiple calls to xml_parser_free()).


7.4.11:
01 Oct 2020
Core:
Fixed bug #79699 (PHP parses encoded cookie names so malicious `__Host-` cookies can be sent). (CVE-2020-7070)
Fixed bug #79979 (passing value to by-ref param via CUFA crashes).
Fixed bug #80037 (Typed property must not be accessed before initialization when __get() declared).
Fixed bug #80048 (Bug #69100 has not been fixed for Windows).
Fixed bug #80049 (Memleak when coercing integers to string via variadic argument).
Calendar:
Fixed bug #80007 (Potential type confusion in unixtojd() parameter parsing).
COM:
Fixed bug #64130 (COM obj parameters passed by reference are not updated).
OPcache:
Fixed bug #80002 (calc free space for new interned string is wrong).
Fixed bug #80046 (FREE for SWITCH_STRING optimized away).
Fixed bug #79825 (opcache.file_cache causes SIGSEGV when custom opcode handlers changed).
OpenSSL:
Fixed bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV). (CVE-2020-7069)
PDO:
Fixed bug #80027 (Terrible performance using $query->fetch on queries with many bind parameters).
SOAP:
Fixed bug #47021 (SoapClient stumbles over WSDL delivered with "Transfer-Encoding: chunked").
Standard:
Fixed bug #79986 (str_ireplace bug with diacritics characters).
Fixed bug #80077 (getmxrr test bug).
Fixed bug #72941 (Modifying bucket->data by-ref has no effect any longer).
Fixed bug #80067 (Omitting the port in bindto setting errors).

(In reply to Marc Krämer from comment #10)
> "We cannot ship backports without security fix."
> ???
> What do you mean??? php 7.4 is already in backports, and this is a security
> fix for the version in backports. It contains the security fixes from 7.4.8
> to 7.4.11!
> 
> And according to our rules, we DON'T have update advisories for backports
> (still I don't know why). But this was told many times, as I was asking!

Because I see upstream adv and a Security fix was released for 7.4.11.
I DO see 7.4.10 in backports_testing.
At time of writing this, this mirror http://ftp.free.fr/mirrors/mageia.org/distrib/7.1/x86_64/media/core/backports_testing/ still shows 7.4.10.

So excuse-me. I DO know we don't provide adv for backports. I only would like to at least not ship backport with holes.

@Aurelien: Sorry. You're right.
This was originally created for 7.4.10 and due to some problems with rpm-index, installation issues, ... it was held back until 7.3.x was released.
I've forgotten to update it. And sorry again, I missunderstood your original post.

Communication ;)
As english is not my native language, sometimes I can use too strong words ;)
You're welcomed.

"As english is not my native language", this holds for me too :)

Possibly off-topic but here seems an appropriate place to ask.
Active support for PHP 7.3 branch will end on 6 Dec 2020, in about 6 weeks.

Will Mageia 7 switch to PHP 7.4 as its main version or will it continue with branch 7.3 in main repos and only provide security updates?

I'm asking because I may have to test an update from 7.3 to 7.4 sooner rather than later.

My apologies if this is not an appropriate place.

CC: (none) => mageia

@PC LX: security support for 7.3 will continue until 6 Dec 2021, so there is no need for mageia 7 to switch.
Active support means, introducing new features and bug fixing will not continue here. But severe bugs will still be adressed.
For all those users, who need a newer php version I've backported it to mga7. This should also make updates to mga8 less error prone.
Since release for php 8 is scheduled to November 26, 2020, we will ship mga8 with php 7.4 and soon have php 8 in backports for mga8 (as I hope)

moved

Status: NEW => RESOLVED
Resolution: (none) => FIXED