28036 – PHP 7.3.26 (fixes CVE-2020-7071)

Bug 28036 - PHP 7.3.26 (fixes CVE-2020-7071)

Summary: PHP 7.3.26 (fixes CVE-2020-7071)

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	7
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA7-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:	28037
	Show dependency tree / graph

Reported:	2021-01-07 19:16 CET by Marc Krämer
Modified:	2021-01-14 16:14 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	php-7.3.23-1.mga7.src.rpm
CVE:	CVE-2020-7071
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Marc Krämer 2021-01-07 19:16:33 CET

PHP 7.3.26:
Fixed bug #77423 (FILTER_VALIDATE_URL accepts URLs with invalid userinfo). (CVE-2020-7071)

Marc Krämer 2021-01-07 19:18:24 CET

Blocks: (none) => 28037

Comment 1 David Walser 2021-01-07 20:43:33 CET

https://www.php.net/ChangeLog-7.php#PHP_7_3

Summary: PHP: Security issue => PHP 7.3.26 (fixes CVE-2020-7071)
Source RPM: php-7.3 => php-7.3.23-1.mga7.src.rpm

Comment 2 Marc Krämer 2021-01-07 20:48:08 CET

Suggested advisory:
========================

Updated php to fix security vulnerabilities:

- FILTER_VALIDATE_URL accepts URLs with invalid userinfo [1]
- stream_get_contents() fails with maxlength=-1 or default

References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7071
[2] https://www.php.net/ChangeLog-7.php#PHP_7_3_26
========================

Updated packages in core/updates_testing:
apache-mod_php-7.3.26-1.mga7
php-bcmath-7.3.26-1.mga7
php-bz2-7.3.26-1.mga7
php-calendar-7.3.26-1.mga7
php-cgi-7.3.26-1.mga7
php-cli-7.3.26-1.mga7
php-ctype-7.3.26-1.mga7
php-curl-7.3.26-1.mga7
php-dba-7.3.26-1.mga7
php-devel-7.3.26-1.mga7
php-doc-7.3.26-1.mga7
php-dom-7.3.26-1.mga7
php-enchant-7.3.26-1.mga7
php-exif-7.3.26-1.mga7
php-fileinfo-7.3.26-1.mga7
php-filter-7.3.26-1.mga7
php-fpm-7.3.26-1.mga7
php-fpm-apache-7.3.26-1.mga7
php-ftp-7.3.26-1.mga7
php-gd-7.3.26-1.mga7
php-gettext-7.3.26-1.mga7
php-gmp-7.3.26-1.mga7
php-iconv-7.3.26-1.mga7
php-imagick-3.4.4-1.1.mga7
php-imap-7.3.26-1.mga7
php-ini-7.3.26-1.mga7
php-interbase-7.3.26-1.mga7
php-intl-7.3.26-1.mga7
php-json-7.3.26-1.mga7
php-ldap-7.3.26-1.mga7
php-mbstring-7.3.26-1.mga7
php-mysqli-7.3.26-1.mga7
php-mysqlnd-7.3.26-1.mga7
php-odbc-7.3.26-1.mga7
php-oojs-oojs-ui-0.41.0-1.mga7
php-opcache-7.3.26-1.mga7
php-openssl-7.3.26-1.mga7
php-pcntl-7.3.26-1.mga7
php-pdo-7.3.26-1.mga7
php-pdo_dblib-7.3.26-1.mga7
php-pdo_firebird-7.3.26-1.mga7
php-pdo_mysql-7.3.26-1.mga7
php-pdo_odbc-7.3.26-1.mga7
php-pdo_pgsql-7.3.26-1.mga7
php-pdo_sqlite-7.3.26-1.mga7
php-pgsql-7.3.26-1.mga7
php-phar-7.3.26-1.mga7
php-posix-7.3.26-1.mga7
php-readline-7.3.26-1.mga7
php-recode-7.3.26-1.mga7
php-session-7.3.26-1.mga7
php-shmop-7.3.26-1.mga7
php-snmp-7.3.26-1.mga7
php-soap-7.3.26-1.mga7
php-sockets-7.3.26-1.mga7
php-sodium-7.3.26-1.mga7
php-sqlite3-7.3.26-1.mga7
php-sysvmsg-7.3.26-1.mga7
php-sysvsem-7.3.26-1.mga7
php-sysvshm-7.3.26-1.mga7
php-tidy-7.3.26-1.mga7
php-tokenizer-7.3.26-1.mga7
php-wddx-7.3.26-1.mga7
php-xml-7.3.26-1.mga7
php-xmlreader-7.3.26-1.mga7
php-xmlrpc-7.3.26-1.mga7
php-xmlwriter-7.3.26-1.mga7
php-xsl-7.3.26-1.mga7
php-zip-7.3.26-1.mga7
php-zlib-7.3.26-1.mga7
phpdbg-7.3.26-1.mga7

SRPM:
php-7.3.26-1.mga7.src.rpm

Comment 3 David Walser 2021-01-07 22:03:56 CET

replace [1] with (CVE-2020-7071) in the advisory, to be clear

Marc Krämer 2021-01-08 01:55:17 CET

Assignee: mageia => qa-bugs

Comment 4 PC LX 2021-01-08 18:50:42 CET

Installed and tested without issues.

Using php-fpm instead of mod_php.

Tested with various small and large scripts (e.g. wordpress, drupal, phpmyadmin, roundcubemail). Tested HTTP 1.1, HTTP 2, TLS and CLI.


System: Mageia 7, x86_64, Intel CPU.


$ uname -a
Linux marte 5.7.19-desktop-3.mga7 #1 SMP Sun Oct 18 15:46:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep php.*7.3.26 | sort
apache-mod_php-7.3.26-1.mga7
lib64php_common7-7.3.26-1.mga7
php-bz2-7.3.26-1.mga7
php-cli-7.3.26-1.mga7
php-ctype-7.3.26-1.mga7
php-curl-7.3.26-1.mga7
php-dom-7.3.26-1.mga7
php-exif-7.3.26-1.mga7
php-fileinfo-7.3.26-1.mga7
php-filter-7.3.26-1.mga7
php-fpm-7.3.26-1.mga7
php-ftp-7.3.26-1.mga7
php-gd-7.3.26-1.mga7
php-gettext-7.3.26-1.mga7
php-iconv-7.3.26-1.mga7
php-ini-7.3.26-1.mga7
php-intl-7.3.26-1.mga7
php-json-7.3.26-1.mga7
php-ldap-7.3.26-1.mga7
php-mbstring-7.3.26-1.mga7
php-mysqli-7.3.26-1.mga7
php-mysqlnd-7.3.26-1.mga7
php-openssl-7.3.26-1.mga7
php-pdo-7.3.26-1.mga7
php-pdo_mysql-7.3.26-1.mga7
php-pdo_sqlite-7.3.26-1.mga7
php-posix-7.3.26-1.mga7
php-session-7.3.26-1.mga7
php-sockets-7.3.26-1.mga7
php-sysvsem-7.3.26-1.mga7
php-sysvshm-7.3.26-1.mga7
php-tokenizer-7.3.26-1.mga7
php-xml-7.3.26-1.mga7
php-xmlreader-7.3.26-1.mga7
php-xmlwriter-7.3.26-1.mga7
php-zip-7.3.26-1.mga7
php-zlib-7.3.26-1.mga7
$ systemctl status httpd.socket php-fpm.socket httpd.service php-fpm.service 
● httpd.socket - httpd server activation socket
   Loaded: loaded (/usr/local/lib/systemd/system/httpd.socket; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2021-01-08 10:02:08 WET; 7h ago
   Listen: [::]:80 (Stream)
           [::]:443 (Stream)
    Tasks: 0 (limit: 4684)
   Memory: 92.0K
   CGroup: /system.slice/httpd.socket

jan 08 10:02:08 marte systemd[1]: Listening on httpd server activation socket.

● php-fpm.socket - php-fpm Server Socket
   Loaded: loaded (/usr/local/lib/systemd/system/php-fpm.socket; enabled; vendor preset: disabled)
   Active: inactive (dead) since Fri 2021-01-08 15:49:08 WET; 2h 0min ago
   Listen: /var/lib/php-fpm/php-fpm.sock (Stream)

jan 08 10:02:08 marte systemd[1]: Listening on php-fpm Server Socket.
jan 08 15:49:08 marte systemd[1]: php-fpm.socket: Succeeded.
jan 08 15:49:08 marte systemd[1]: Closed php-fpm Server Socket.

● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
   Active: active (running) since Fri 2021-01-08 15:43:14 WET; 2h 5min ago
 Main PID: 11584 (httpd)
   Status: "Total requests: 1031; Idle/Busy workers 100/0;Requests/sec: 0.136; Bytes served/sec: 2.6KB/sec"
    Tasks: 66 (limit: 4684)
   Memory: 41.9M
   CGroup: /system.slice/httpd.service
           ├─11584 /usr/sbin/httpd -DFOREGROUND
           ├─11654 /usr/sbin/httpd -DFOREGROUND
           └─11656 /usr/sbin/httpd -DFOREGROUND

jan 08 15:43:14 marte systemd[1]: Stopped The Apache HTTP Server.
jan 08 15:43:14 marte systemd[1]: Starting The Apache HTTP Server...
jan 08 15:43:14 marte systemd[1]: Started The Apache HTTP Server.

● php-fpm.service - The PHP FastCGI Process Manager
   Loaded: loaded (/usr/lib/systemd/system/php-fpm.service; disabled; vendor preset: disabled)
   Active: active (running) since Fri 2021-01-08 15:49:08 WET; 2h 0min ago
 Main PID: 12968 (php-fpm)
   Status: "Processes active: 0, idle: 2, Requests: 165, slow: 0, Traffic: 0req/sec"
    Tasks: 3 (limit: 4684)
   Memory: 57.2M
   CGroup: /system.slice/php-fpm.service
           ├─12968 php-fpm: master process (/etc/php-fpm.conf)
           ├─13383 php-fpm: pool www
           └─14415 php-fpm: pool www

jan 08 15:49:08 marte systemd[1]: Starting The PHP FastCGI Process Manager...
jan 08 15:49:08 marte php-fpm[12968]: [NOTICE] fpm is running, pid 12968
jan 08 15:49:08 marte php-fpm[12968]: [NOTICE] ready to handle connections
jan 08 15:49:08 marte php-fpm[12968]: [NOTICE] systemd monitor interval set to 10000ms
jan 08 15:49:08 marte systemd[1]: Started The PHP FastCGI Process Manager.

CC: (none) => mageia

Comment 5 PC LX 2021-01-12 14:46:56 CET

This update has been working for several days without issues. Marking it as OK for x86_64. Fell free to undo the OK if needed.

Whiteboard: (none) => MGA7-64-OK

Comment 6 Thomas Andrews 2021-01-14 14:06:24 CET

Validating. Advisory in Comment 2 and Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 7 Aurelien Oudelet 2021-01-14 14:39:01 CET

(In reply to Thomas Andrews from comment #6)
> Validating. Advisory in Comment 2 and Comment 3.
Already done ;)
Advisory pushed to SVN.

CC: (none) => ouaurelien
Keywords: (none) => advisory

Aurelien Oudelet 2021-01-14 14:39:13 CET

CVE: (none) => CVE-2020-7071

Comment 8 Marc Krämer 2021-01-14 14:39:56 CET

can we push backports too?

Comment 9 Mageia Robot 2021-01-14 16:14:54 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0025.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.