RLSA-2020:1624

Source
https://errata.rockylinux.org/RLSA-2020:1624
Import Source
https://storage.googleapis.com/resf-osv-data/RLSA-2020:1624.json
JSON Data
https://api.osv.dev/v1/vulns/RLSA-2020:1624
Related
Published
2020-04-28T08:57:54Z
Modified
2023-02-02T13:03:36.952910Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Moderate: php:7.2 security, bug fix, and enhancement update
Details

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.

The following packages have been upgraded to a later upstream version: php (7.2.24). (BZ#1726981)

Security Fix(es):

  • php: Invalid memory access in function xmlrpc_decode() (CVE-2019-9020)

  • php: File rename across filesystems may allow unwanted access during processing (CVE-2019-9637)

  • php: Uninitialized read in exifprocessIFDinMAKERNOTE (CVE-2019-9638)

  • php: Uninitialized read in exifprocessIFDinMAKERNOTE (CVE-2019-9639)

  • php: Invalid read in exifprocessSOFn() (CVE-2019-9640)

  • php: Out-of-bounds read due to integer overflow in iconvmimedecode_headers() (CVE-2019-11039)

  • php: Buffer over-read in exifreaddata() (CVE-2019-11040)

  • php: Buffer over-read in PHAR reading functions (CVE-2018-20783)

  • php: Heap-based buffer over-read in PHAR reading functions (CVE-2019-9021)

  • php: memcpy with negative length via crafted DNS response (CVE-2019-9022)

  • php: Heap-based buffer over-read in mbstring regular expression functions (CVE-2019-9023)

  • php: Out-of-bounds read in base64decodexmlrpc in ext/xmlrpc/libxmlrpc/base64.c (CVE-2019-9024)

  • php: Heap buffer overflow in function exifprocessIFD_TAG() (CVE-2019-11034)

  • php: Heap buffer overflow in function exifiifadd_value() (CVE-2019-11035)

  • php: Buffer over-read in exifprocessIFD_TAG() leading to information disclosure (CVE-2019-11036)

  • php: Heap buffer over-read in exifscanthumbnail() (CVE-2019-11041)

  • php: Heap buffer over-read in exifprocessuser_comment() (CVE-2019-11042)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Rocky Linux 8.2 Release Notes linked from the References section.

References
Credits
    • Rocky Enterprise Software Foundation
    • Red Hat

Affected packages

Rocky Linux:8 / libzip

Package

Name
libzip
Purl
pkg:rpm/rocky-linux/libzip?distro=rocky-linux-8&epoch=0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0:1.5.1-2.module+el8.4.0+413+c9202dda

Rocky Linux:8 / php

Package

Name
php
Purl
pkg:rpm/rocky-linux/php?distro=rocky-linux-8&epoch=0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0:7.2.24-1.module+el8.4.0+413+c9202dda

Rocky Linux:8 / php-pear

Package

Name
php-pear
Purl
pkg:rpm/rocky-linux/php-pear?distro=rocky-linux-8&epoch=1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:1.10.5-9.module+el8.4.0+413+c9202dda

Rocky Linux:8 / php-pecl-apcu

Package

Name
php-pecl-apcu
Purl
pkg:rpm/rocky-linux/php-pecl-apcu?distro=rocky-linux-8&epoch=0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0:5.1.12-2.module+el8.4.0+413+c9202dda

Rocky Linux:8 / php-pecl-zip

Package

Name
php-pecl-zip
Purl
pkg:rpm/rocky-linux/php-pecl-zip?distro=rocky-linux-8&epoch=0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0:1.15.3-1.module+el8.4.0+413+c9202dda