MGASA-2020-0387

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2020-0387.html

Import Source

https://advisories.mageia.org/MGASA-2020-0387.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2020-0387

Related

CVE-2020-7070

Published

2020-10-16T17:04:43Z

Modified

2020-10-16T16:30:18Z

Summary

Updated php packages fix a security vulnerability

Details

In PHP versions 7.2.x when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. (CVE-2020-7070)

These updated packages also fix several bugs: Core: - realpath() erroneously resolves link to link - Stack use-after-scope in define() - getimagesize function silently truncates after a null byte - Memleak when coercing integers to string via variadic argument

Fileinfo: finfofile crash (FILEINFOMIME)

LDAP: Fixed memory leaks.

OPCache: opcache.file_cache causes SIGSEGV when custom opcode handlers changed.

Standard: Memory leak in str_replace of empty string

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:7 / php

Package

Name: php
Purl: pkg:rpm/mageia/php?distro=mageia-7

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.3.23-1.mga7

Ecosystem specific

{
    "section": "core"
}