PHP 7.3.26: Fixed bug #77423 (FILTER_VALIDATE_URL accepts URLs with invalid userinfo). (CVE-2020-7071)
Blocks: (none) => 28037
https://www.php.net/ChangeLog-7.php#PHP_7_3
Summary: PHP: Security issue => PHP 7.3.26 (fixes CVE-2020-7071)Source RPM: php-7.3 => php-7.3.23-1.mga7.src.rpm
Suggested advisory: ======================== Updated php to fix security vulnerabilities: - FILTER_VALIDATE_URL accepts URLs with invalid userinfo [1] - stream_get_contents() fails with maxlength=-1 or default References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7071 [2] https://www.php.net/ChangeLog-7.php#PHP_7_3_26 ======================== Updated packages in core/updates_testing: apache-mod_php-7.3.26-1.mga7 php-bcmath-7.3.26-1.mga7 php-bz2-7.3.26-1.mga7 php-calendar-7.3.26-1.mga7 php-cgi-7.3.26-1.mga7 php-cli-7.3.26-1.mga7 php-ctype-7.3.26-1.mga7 php-curl-7.3.26-1.mga7 php-dba-7.3.26-1.mga7 php-devel-7.3.26-1.mga7 php-doc-7.3.26-1.mga7 php-dom-7.3.26-1.mga7 php-enchant-7.3.26-1.mga7 php-exif-7.3.26-1.mga7 php-fileinfo-7.3.26-1.mga7 php-filter-7.3.26-1.mga7 php-fpm-7.3.26-1.mga7 php-fpm-apache-7.3.26-1.mga7 php-ftp-7.3.26-1.mga7 php-gd-7.3.26-1.mga7 php-gettext-7.3.26-1.mga7 php-gmp-7.3.26-1.mga7 php-iconv-7.3.26-1.mga7 php-imagick-3.4.4-1.1.mga7 php-imap-7.3.26-1.mga7 php-ini-7.3.26-1.mga7 php-interbase-7.3.26-1.mga7 php-intl-7.3.26-1.mga7 php-json-7.3.26-1.mga7 php-ldap-7.3.26-1.mga7 php-mbstring-7.3.26-1.mga7 php-mysqli-7.3.26-1.mga7 php-mysqlnd-7.3.26-1.mga7 php-odbc-7.3.26-1.mga7 php-oojs-oojs-ui-0.41.0-1.mga7 php-opcache-7.3.26-1.mga7 php-openssl-7.3.26-1.mga7 php-pcntl-7.3.26-1.mga7 php-pdo-7.3.26-1.mga7 php-pdo_dblib-7.3.26-1.mga7 php-pdo_firebird-7.3.26-1.mga7 php-pdo_mysql-7.3.26-1.mga7 php-pdo_odbc-7.3.26-1.mga7 php-pdo_pgsql-7.3.26-1.mga7 php-pdo_sqlite-7.3.26-1.mga7 php-pgsql-7.3.26-1.mga7 php-phar-7.3.26-1.mga7 php-posix-7.3.26-1.mga7 php-readline-7.3.26-1.mga7 php-recode-7.3.26-1.mga7 php-session-7.3.26-1.mga7 php-shmop-7.3.26-1.mga7 php-snmp-7.3.26-1.mga7 php-soap-7.3.26-1.mga7 php-sockets-7.3.26-1.mga7 php-sodium-7.3.26-1.mga7 php-sqlite3-7.3.26-1.mga7 php-sysvmsg-7.3.26-1.mga7 php-sysvsem-7.3.26-1.mga7 php-sysvshm-7.3.26-1.mga7 php-tidy-7.3.26-1.mga7 php-tokenizer-7.3.26-1.mga7 php-wddx-7.3.26-1.mga7 php-xml-7.3.26-1.mga7 php-xmlreader-7.3.26-1.mga7 php-xmlrpc-7.3.26-1.mga7 php-xmlwriter-7.3.26-1.mga7 php-xsl-7.3.26-1.mga7 php-zip-7.3.26-1.mga7 php-zlib-7.3.26-1.mga7 phpdbg-7.3.26-1.mga7 SRPM: php-7.3.26-1.mga7.src.rpm
replace [1] with (CVE-2020-7071) in the advisory, to be clear
Assignee: mageia => qa-bugs
Installed and tested without issues. Using php-fpm instead of mod_php. Tested with various small and large scripts (e.g. wordpress, drupal, phpmyadmin, roundcubemail). Tested HTTP 1.1, HTTP 2, TLS and CLI. System: Mageia 7, x86_64, Intel CPU. $ uname -a Linux marte 5.7.19-desktop-3.mga7 #1 SMP Sun Oct 18 15:46:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep php.*7.3.26 | sort apache-mod_php-7.3.26-1.mga7 lib64php_common7-7.3.26-1.mga7 php-bz2-7.3.26-1.mga7 php-cli-7.3.26-1.mga7 php-ctype-7.3.26-1.mga7 php-curl-7.3.26-1.mga7 php-dom-7.3.26-1.mga7 php-exif-7.3.26-1.mga7 php-fileinfo-7.3.26-1.mga7 php-filter-7.3.26-1.mga7 php-fpm-7.3.26-1.mga7 php-ftp-7.3.26-1.mga7 php-gd-7.3.26-1.mga7 php-gettext-7.3.26-1.mga7 php-iconv-7.3.26-1.mga7 php-ini-7.3.26-1.mga7 php-intl-7.3.26-1.mga7 php-json-7.3.26-1.mga7 php-ldap-7.3.26-1.mga7 php-mbstring-7.3.26-1.mga7 php-mysqli-7.3.26-1.mga7 php-mysqlnd-7.3.26-1.mga7 php-openssl-7.3.26-1.mga7 php-pdo-7.3.26-1.mga7 php-pdo_mysql-7.3.26-1.mga7 php-pdo_sqlite-7.3.26-1.mga7 php-posix-7.3.26-1.mga7 php-session-7.3.26-1.mga7 php-sockets-7.3.26-1.mga7 php-sysvsem-7.3.26-1.mga7 php-sysvshm-7.3.26-1.mga7 php-tokenizer-7.3.26-1.mga7 php-xml-7.3.26-1.mga7 php-xmlreader-7.3.26-1.mga7 php-xmlwriter-7.3.26-1.mga7 php-zip-7.3.26-1.mga7 php-zlib-7.3.26-1.mga7 $ systemctl status httpd.socket php-fpm.socket httpd.service php-fpm.service ● httpd.socket - httpd server activation socket Loaded: loaded (/usr/local/lib/systemd/system/httpd.socket; enabled; vendor preset: disabled) Active: active (running) since Fri 2021-01-08 10:02:08 WET; 7h ago Listen: [::]:80 (Stream) [::]:443 (Stream) Tasks: 0 (limit: 4684) Memory: 92.0K CGroup: /system.slice/httpd.socket jan 08 10:02:08 marte systemd[1]: Listening on httpd server activation socket. ● php-fpm.socket - php-fpm Server Socket Loaded: loaded (/usr/local/lib/systemd/system/php-fpm.socket; enabled; vendor preset: disabled) Active: inactive (dead) since Fri 2021-01-08 15:49:08 WET; 2h 0min ago Listen: /var/lib/php-fpm/php-fpm.sock (Stream) jan 08 10:02:08 marte systemd[1]: Listening on php-fpm Server Socket. jan 08 15:49:08 marte systemd[1]: php-fpm.socket: Succeeded. jan 08 15:49:08 marte systemd[1]: Closed php-fpm Server Socket. ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2021-01-08 15:43:14 WET; 2h 5min ago Main PID: 11584 (httpd) Status: "Total requests: 1031; Idle/Busy workers 100/0;Requests/sec: 0.136; Bytes served/sec: 2.6KB/sec" Tasks: 66 (limit: 4684) Memory: 41.9M CGroup: /system.slice/httpd.service ├─11584 /usr/sbin/httpd -DFOREGROUND ├─11654 /usr/sbin/httpd -DFOREGROUND └─11656 /usr/sbin/httpd -DFOREGROUND jan 08 15:43:14 marte systemd[1]: Stopped The Apache HTTP Server. jan 08 15:43:14 marte systemd[1]: Starting The Apache HTTP Server... jan 08 15:43:14 marte systemd[1]: Started The Apache HTTP Server. ● php-fpm.service - The PHP FastCGI Process Manager Loaded: loaded (/usr/lib/systemd/system/php-fpm.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2021-01-08 15:49:08 WET; 2h 0min ago Main PID: 12968 (php-fpm) Status: "Processes active: 0, idle: 2, Requests: 165, slow: 0, Traffic: 0req/sec" Tasks: 3 (limit: 4684) Memory: 57.2M CGroup: /system.slice/php-fpm.service ├─12968 php-fpm: master process (/etc/php-fpm.conf) ├─13383 php-fpm: pool www └─14415 php-fpm: pool www jan 08 15:49:08 marte systemd[1]: Starting The PHP FastCGI Process Manager... jan 08 15:49:08 marte php-fpm[12968]: [NOTICE] fpm is running, pid 12968 jan 08 15:49:08 marte php-fpm[12968]: [NOTICE] ready to handle connections jan 08 15:49:08 marte php-fpm[12968]: [NOTICE] systemd monitor interval set to 10000ms jan 08 15:49:08 marte systemd[1]: Started The PHP FastCGI Process Manager.
CC: (none) => mageia
This update has been working for several days without issues. Marking it as OK for x86_64. Fell free to undo the OK if needed.
Whiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 2 and Comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
(In reply to Thomas Andrews from comment #6) > Validating. Advisory in Comment 2 and Comment 3. Already done ;) Advisory pushed to SVN.
CC: (none) => ouaurelienKeywords: (none) => advisory
CVE: (none) => CVE-2020-7071
can we push backports too?
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0025.html
Status: NEW => RESOLVEDResolution: (none) => FIXED