Oval Definition:oval:com.redhat.rhsa:def:20203662
Revision Date:2020-09-08Version:638
Title:RHSA-2020:3662: php:7.3 security, bug fix, and enhancement update (Moderate)
Description:PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.

  • The following packages have been upgraded to a later upstream version: php (7.3.20). (BZ#1856655)

    Security Fix(es):

  • php: Out-of-bounds read due to integer overflow in iconv_mime_decode_headers() (CVE-2019-11039)

  • php: Buffer over-read in exif_read_data() (CVE-2019-11040)

  • php: DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte (CVE-2019-11045)

  • php: Information disclosure in exif_read_data() (CVE-2019-11047)

  • php: Integer wraparounds when receiving multipart forms (CVE-2019-11048)

  • oniguruma: Use-after-free in onig_new_deluxe() in regext.c (CVE-2019-13224)

  • oniguruma: NULL pointer dereference in match_at() in regexec.c (CVE-2019-13225)

  • oniguruma: Stack exhaustion in regcomp.c because of recursion in regparse.c (CVE-2019-16163)

  • oniguruma: Heap-based buffer over-read in function gb18030_mbc_enc_len in file gb18030.c (CVE-2019-19203)

  • oniguruma: Heap-based buffer over-read in function fetch_interval_quantifier in regparse.c (CVE-2019-19204)

  • pcre: Out of bounds read in JIT mode when \X is used in non-UTF mode (CVE-2019-20454)

  • php: Out of bounds read in php_strip_tags_ex (CVE-2020-7059)

  • php: Global buffer-overflow in mbfl_filt_conv_big5_wchar function (CVE-2020-7060)

  • php: NULL pointer dereference in PHP session upload progress (CVE-2020-7062)

  • php: Files added to tar with Phar::buildFromIterator have all-access permissions (CVE-2020-7063)

  • php: Information disclosure in exif_read_data() function (CVE-2020-7064)

  • php: Using mb_strtolower() function with UTF-32LE encoding leads to potential code execution (CVE-2020-7065)

  • php: Heap buffer over-read in exif_scan_thumbnail() (CVE-2019-11041)

  • php: Heap buffer over-read in exif_process_user_comment() (CVE-2019-11042)

  • php: Out of bounds read when parsing EXIF information (CVE-2019-11050)

  • oniguruma: Heap-based buffer overflow in str_lower_case_match in regexec.c (CVE-2019-19246)

  • php: Information disclosure in function get_headers (CVE-2020-7066)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
  • Family:unixClass:patch
    Status:Reference(s):CVE-2019-11039
    CVE-2019-11040
    CVE-2019-11041
    CVE-2019-11042
    CVE-2019-11045
    CVE-2019-11047
    CVE-2019-11048
    CVE-2019-11050
    CVE-2019-13224
    CVE-2019-13225
    CVE-2019-16163
    CVE-2019-19203
    CVE-2019-19204
    CVE-2019-19246
    CVE-2019-20454
    CVE-2020-7059
    CVE-2020-7060
    CVE-2020-7062
    CVE-2020-7063
    CVE-2020-7064
    CVE-2020-7065
    CVE-2020-7066
    RHSA-2020:3662
    Platform(s):Red Hat Enterprise Linux 8
    Product(s):
    Definition Synopsis
  • Red Hat Enterprise Linux must be installed
  • OR Package Information
  • Red Hat Enterprise Linux 8 is installed
  • OR Red Hat CoreOS 4 is installed
  • AND
  • Module php:7.3 is enabled
  • BACK