ID

VAR-202002-1306


CVE

CVE-2020-7060


TITLE

PHP Out-of-bounds read vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-001730

DESCRIPTION

When using certain mbstring functions to convert multibyte encodings, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause function mbfl_filt_conv_big5_wchar to read past the allocated buffer. This may lead to information disclosure or crash. PHP Exists in an out-of-bounds read vulnerability.Information is obtained and service operation is interrupted (DoS) It may be put into a state. A buffer error vulnerability exists in PHP 7.2.x prior to 7.2.27, 7.3.x prior to 7.3.14, and 7.4.x prior to 7.4.2. (CVE-2015-9253). -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: rh-php73-php security, bug fix, and enhancement update Advisory ID: RHSA-2020:5275-01 Product: Red Hat Software Collections Advisory URL: https://access.redhat.com/errata/RHSA-2020:5275 Issue date: 2020-12-01 CVE Names: CVE-2019-11045 CVE-2019-11047 CVE-2019-11048 CVE-2019-11050 CVE-2019-19203 CVE-2019-19204 CVE-2019-19246 CVE-2020-7059 CVE-2020-7060 CVE-2020-7062 CVE-2020-7063 CVE-2020-7064 CVE-2020-7065 CVE-2020-7066 ==================================================================== 1. Summary: An update for rh-php73-php is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64le, s390x, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6) - ppc64le, s390x, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7) - ppc64le, s390x, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - x86_64 3. Description: PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. The following packages have been upgraded to a later upstream version: rh-php73-php (7.3.20). (BZ#1853211) Security Fix(es): * php: DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte (CVE-2019-11045) * php: Information disclosure in exif_read_data() (CVE-2019-11047) * php: Integer wraparounds when receiving multipart forms (CVE-2019-11048) * oniguruma: Heap-based buffer over-read in function gb18030_mbc_enc_len in file gb18030.c (CVE-2019-19203) * oniguruma: Heap-based buffer over-read in function fetch_interval_quantifier in regparse.c (CVE-2019-19204) * php: Out of bounds read in php_strip_tags_ex (CVE-2020-7059) * php: Global buffer-overflow in mbfl_filt_conv_big5_wchar function (CVE-2020-7060) * php: NULL pointer dereference in PHP session upload progress (CVE-2020-7062) * php: Files added to tar with Phar::buildFromIterator have all-access permissions (CVE-2020-7063) * php: Information disclosure in exif_read_data() function (CVE-2020-7064) * php: Using mb_strtolower() function with UTF-32LE encoding leads to potential code execution (CVE-2020-7065) * php: Out of bounds read when parsing EXIF information (CVE-2019-11050) * oniguruma: Heap-based buffer overflow in str_lower_case_match in regexec.c (CVE-2019-19246) * php: Information disclosure in function get_headers (CVE-2020-7066) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Software Collections 3.6 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the updated packages, the httpd daemon must be restarted for the update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1777537 - CVE-2019-19246 oniguruma: Heap-based buffer overflow in str_lower_case_match in regexec.c 1786570 - CVE-2019-11047 php: Information disclosure in exif_read_data() 1786572 - CVE-2019-11045 php: DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte 1788258 - CVE-2019-11050 php: Out of bounds read when parsing EXIF information 1797776 - CVE-2020-7059 php: Out of bounds read in php_strip_tags_ex 1797779 - CVE-2020-7060 php: Global buffer-overflow in mbfl_filt_conv_big5_wchar function 1802061 - CVE-2019-19203 oniguruma: Heap-based buffer over-read in function gb18030_mbc_enc_len in file gb18030.c 1802068 - CVE-2019-19204 oniguruma: Heap-based buffer over-read in function fetch_interval_quantifier in regparse.c 1808532 - CVE-2020-7062 php: NULL pointer dereference in PHP session upload progress 1808536 - CVE-2020-7063 php: Files added to tar with Phar::buildFromIterator have all-access permissions 1820601 - CVE-2020-7064 php: Information disclosure in exif_read_data() function 1820604 - CVE-2020-7066 php: Information disclosure in function get_headers 1820627 - CVE-2020-7065 php: Using mb_strtolower() function with UTF-32LE encoding leads to potential code execution 1837842 - CVE-2019-11048 php: Integer wraparounds when receiving multipart forms 6. Package List: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7): Source: rh-php73-php-7.3.20-1.el7.src.rpm aarch64: rh-php73-php-7.3.20-1.el7.aarch64.rpm rh-php73-php-bcmath-7.3.20-1.el7.aarch64.rpm rh-php73-php-cli-7.3.20-1.el7.aarch64.rpm rh-php73-php-common-7.3.20-1.el7.aarch64.rpm rh-php73-php-dba-7.3.20-1.el7.aarch64.rpm rh-php73-php-dbg-7.3.20-1.el7.aarch64.rpm rh-php73-php-debuginfo-7.3.20-1.el7.aarch64.rpm rh-php73-php-devel-7.3.20-1.el7.aarch64.rpm rh-php73-php-embedded-7.3.20-1.el7.aarch64.rpm rh-php73-php-enchant-7.3.20-1.el7.aarch64.rpm rh-php73-php-fpm-7.3.20-1.el7.aarch64.rpm rh-php73-php-gd-7.3.20-1.el7.aarch64.rpm rh-php73-php-gmp-7.3.20-1.el7.aarch64.rpm rh-php73-php-intl-7.3.20-1.el7.aarch64.rpm rh-php73-php-json-7.3.20-1.el7.aarch64.rpm rh-php73-php-ldap-7.3.20-1.el7.aarch64.rpm rh-php73-php-mbstring-7.3.20-1.el7.aarch64.rpm rh-php73-php-mysqlnd-7.3.20-1.el7.aarch64.rpm rh-php73-php-odbc-7.3.20-1.el7.aarch64.rpm rh-php73-php-opcache-7.3.20-1.el7.aarch64.rpm rh-php73-php-pdo-7.3.20-1.el7.aarch64.rpm rh-php73-php-pgsql-7.3.20-1.el7.aarch64.rpm rh-php73-php-process-7.3.20-1.el7.aarch64.rpm rh-php73-php-pspell-7.3.20-1.el7.aarch64.rpm rh-php73-php-recode-7.3.20-1.el7.aarch64.rpm rh-php73-php-snmp-7.3.20-1.el7.aarch64.rpm rh-php73-php-soap-7.3.20-1.el7.aarch64.rpm rh-php73-php-xml-7.3.20-1.el7.aarch64.rpm rh-php73-php-xmlrpc-7.3.20-1.el7.aarch64.rpm rh-php73-php-zip-7.3.20-1.el7.aarch64.rpm ppc64le: rh-php73-php-7.3.20-1.el7.ppc64le.rpm rh-php73-php-bcmath-7.3.20-1.el7.ppc64le.rpm rh-php73-php-cli-7.3.20-1.el7.ppc64le.rpm rh-php73-php-common-7.3.20-1.el7.ppc64le.rpm rh-php73-php-dba-7.3.20-1.el7.ppc64le.rpm rh-php73-php-dbg-7.3.20-1.el7.ppc64le.rpm rh-php73-php-debuginfo-7.3.20-1.el7.ppc64le.rpm rh-php73-php-devel-7.3.20-1.el7.ppc64le.rpm rh-php73-php-embedded-7.3.20-1.el7.ppc64le.rpm rh-php73-php-enchant-7.3.20-1.el7.ppc64le.rpm rh-php73-php-fpm-7.3.20-1.el7.ppc64le.rpm rh-php73-php-gd-7.3.20-1.el7.ppc64le.rpm rh-php73-php-gmp-7.3.20-1.el7.ppc64le.rpm rh-php73-php-intl-7.3.20-1.el7.ppc64le.rpm rh-php73-php-json-7.3.20-1.el7.ppc64le.rpm rh-php73-php-ldap-7.3.20-1.el7.ppc64le.rpm rh-php73-php-mbstring-7.3.20-1.el7.ppc64le.rpm rh-php73-php-mysqlnd-7.3.20-1.el7.ppc64le.rpm rh-php73-php-odbc-7.3.20-1.el7.ppc64le.rpm rh-php73-php-opcache-7.3.20-1.el7.ppc64le.rpm rh-php73-php-pdo-7.3.20-1.el7.ppc64le.rpm rh-php73-php-pgsql-7.3.20-1.el7.ppc64le.rpm rh-php73-php-process-7.3.20-1.el7.ppc64le.rpm rh-php73-php-pspell-7.3.20-1.el7.ppc64le.rpm rh-php73-php-recode-7.3.20-1.el7.ppc64le.rpm rh-php73-php-snmp-7.3.20-1.el7.ppc64le.rpm rh-php73-php-soap-7.3.20-1.el7.ppc64le.rpm rh-php73-php-xml-7.3.20-1.el7.ppc64le.rpm rh-php73-php-xmlrpc-7.3.20-1.el7.ppc64le.rpm rh-php73-php-zip-7.3.20-1.el7.ppc64le.rpm s390x: rh-php73-php-7.3.20-1.el7.s390x.rpm rh-php73-php-bcmath-7.3.20-1.el7.s390x.rpm rh-php73-php-cli-7.3.20-1.el7.s390x.rpm rh-php73-php-common-7.3.20-1.el7.s390x.rpm rh-php73-php-dba-7.3.20-1.el7.s390x.rpm rh-php73-php-dbg-7.3.20-1.el7.s390x.rpm rh-php73-php-debuginfo-7.3.20-1.el7.s390x.rpm rh-php73-php-devel-7.3.20-1.el7.s390x.rpm rh-php73-php-embedded-7.3.20-1.el7.s390x.rpm rh-php73-php-enchant-7.3.20-1.el7.s390x.rpm rh-php73-php-fpm-7.3.20-1.el7.s390x.rpm rh-php73-php-gd-7.3.20-1.el7.s390x.rpm rh-php73-php-gmp-7.3.20-1.el7.s390x.rpm rh-php73-php-intl-7.3.20-1.el7.s390x.rpm rh-php73-php-json-7.3.20-1.el7.s390x.rpm rh-php73-php-ldap-7.3.20-1.el7.s390x.rpm rh-php73-php-mbstring-7.3.20-1.el7.s390x.rpm rh-php73-php-mysqlnd-7.3.20-1.el7.s390x.rpm rh-php73-php-odbc-7.3.20-1.el7.s390x.rpm rh-php73-php-opcache-7.3.20-1.el7.s390x.rpm rh-php73-php-pdo-7.3.20-1.el7.s390x.rpm rh-php73-php-pgsql-7.3.20-1.el7.s390x.rpm rh-php73-php-process-7.3.20-1.el7.s390x.rpm rh-php73-php-pspell-7.3.20-1.el7.s390x.rpm rh-php73-php-recode-7.3.20-1.el7.s390x.rpm rh-php73-php-snmp-7.3.20-1.el7.s390x.rpm rh-php73-php-soap-7.3.20-1.el7.s390x.rpm rh-php73-php-xml-7.3.20-1.el7.s390x.rpm rh-php73-php-xmlrpc-7.3.20-1.el7.s390x.rpm rh-php73-php-zip-7.3.20-1.el7.s390x.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7): Source: rh-php73-php-7.3.20-1.el7.src.rpm aarch64: rh-php73-php-7.3.20-1.el7.aarch64.rpm rh-php73-php-bcmath-7.3.20-1.el7.aarch64.rpm rh-php73-php-cli-7.3.20-1.el7.aarch64.rpm rh-php73-php-common-7.3.20-1.el7.aarch64.rpm rh-php73-php-dba-7.3.20-1.el7.aarch64.rpm rh-php73-php-dbg-7.3.20-1.el7.aarch64.rpm rh-php73-php-debuginfo-7.3.20-1.el7.aarch64.rpm rh-php73-php-devel-7.3.20-1.el7.aarch64.rpm rh-php73-php-embedded-7.3.20-1.el7.aarch64.rpm rh-php73-php-enchant-7.3.20-1.el7.aarch64.rpm rh-php73-php-fpm-7.3.20-1.el7.aarch64.rpm rh-php73-php-gd-7.3.20-1.el7.aarch64.rpm rh-php73-php-gmp-7.3.20-1.el7.aarch64.rpm rh-php73-php-intl-7.3.20-1.el7.aarch64.rpm rh-php73-php-json-7.3.20-1.el7.aarch64.rpm rh-php73-php-ldap-7.3.20-1.el7.aarch64.rpm rh-php73-php-mbstring-7.3.20-1.el7.aarch64.rpm rh-php73-php-mysqlnd-7.3.20-1.el7.aarch64.rpm rh-php73-php-odbc-7.3.20-1.el7.aarch64.rpm rh-php73-php-opcache-7.3.20-1.el7.aarch64.rpm rh-php73-php-pdo-7.3.20-1.el7.aarch64.rpm rh-php73-php-pgsql-7.3.20-1.el7.aarch64.rpm rh-php73-php-process-7.3.20-1.el7.aarch64.rpm rh-php73-php-pspell-7.3.20-1.el7.aarch64.rpm rh-php73-php-recode-7.3.20-1.el7.aarch64.rpm rh-php73-php-snmp-7.3.20-1.el7.aarch64.rpm rh-php73-php-soap-7.3.20-1.el7.aarch64.rpm rh-php73-php-xml-7.3.20-1.el7.aarch64.rpm rh-php73-php-xmlrpc-7.3.20-1.el7.aarch64.rpm rh-php73-php-zip-7.3.20-1.el7.aarch64.rpm ppc64le: rh-php73-php-7.3.20-1.el7.ppc64le.rpm rh-php73-php-bcmath-7.3.20-1.el7.ppc64le.rpm rh-php73-php-cli-7.3.20-1.el7.ppc64le.rpm rh-php73-php-common-7.3.20-1.el7.ppc64le.rpm rh-php73-php-dba-7.3.20-1.el7.ppc64le.rpm rh-php73-php-dbg-7.3.20-1.el7.ppc64le.rpm rh-php73-php-debuginfo-7.3.20-1.el7.ppc64le.rpm rh-php73-php-devel-7.3.20-1.el7.ppc64le.rpm rh-php73-php-embedded-7.3.20-1.el7.ppc64le.rpm rh-php73-php-enchant-7.3.20-1.el7.ppc64le.rpm rh-php73-php-fpm-7.3.20-1.el7.ppc64le.rpm rh-php73-php-gd-7.3.20-1.el7.ppc64le.rpm rh-php73-php-gmp-7.3.20-1.el7.ppc64le.rpm rh-php73-php-intl-7.3.20-1.el7.ppc64le.rpm rh-php73-php-json-7.3.20-1.el7.ppc64le.rpm rh-php73-php-ldap-7.3.20-1.el7.ppc64le.rpm rh-php73-php-mbstring-7.3.20-1.el7.ppc64le.rpm rh-php73-php-mysqlnd-7.3.20-1.el7.ppc64le.rpm rh-php73-php-odbc-7.3.20-1.el7.ppc64le.rpm rh-php73-php-opcache-7.3.20-1.el7.ppc64le.rpm rh-php73-php-pdo-7.3.20-1.el7.ppc64le.rpm rh-php73-php-pgsql-7.3.20-1.el7.ppc64le.rpm rh-php73-php-process-7.3.20-1.el7.ppc64le.rpm rh-php73-php-pspell-7.3.20-1.el7.ppc64le.rpm rh-php73-php-recode-7.3.20-1.el7.ppc64le.rpm rh-php73-php-snmp-7.3.20-1.el7.ppc64le.rpm rh-php73-php-soap-7.3.20-1.el7.ppc64le.rpm rh-php73-php-xml-7.3.20-1.el7.ppc64le.rpm rh-php73-php-xmlrpc-7.3.20-1.el7.ppc64le.rpm rh-php73-php-zip-7.3.20-1.el7.ppc64le.rpm s390x: rh-php73-php-7.3.20-1.el7.s390x.rpm rh-php73-php-bcmath-7.3.20-1.el7.s390x.rpm rh-php73-php-cli-7.3.20-1.el7.s390x.rpm rh-php73-php-common-7.3.20-1.el7.s390x.rpm rh-php73-php-dba-7.3.20-1.el7.s390x.rpm rh-php73-php-dbg-7.3.20-1.el7.s390x.rpm rh-php73-php-debuginfo-7.3.20-1.el7.s390x.rpm rh-php73-php-devel-7.3.20-1.el7.s390x.rpm rh-php73-php-embedded-7.3.20-1.el7.s390x.rpm rh-php73-php-enchant-7.3.20-1.el7.s390x.rpm rh-php73-php-fpm-7.3.20-1.el7.s390x.rpm rh-php73-php-gd-7.3.20-1.el7.s390x.rpm rh-php73-php-gmp-7.3.20-1.el7.s390x.rpm rh-php73-php-intl-7.3.20-1.el7.s390x.rpm rh-php73-php-json-7.3.20-1.el7.s390x.rpm rh-php73-php-ldap-7.3.20-1.el7.s390x.rpm rh-php73-php-mbstring-7.3.20-1.el7.s390x.rpm rh-php73-php-mysqlnd-7.3.20-1.el7.s390x.rpm rh-php73-php-odbc-7.3.20-1.el7.s390x.rpm rh-php73-php-opcache-7.3.20-1.el7.s390x.rpm rh-php73-php-pdo-7.3.20-1.el7.s390x.rpm rh-php73-php-pgsql-7.3.20-1.el7.s390x.rpm rh-php73-php-process-7.3.20-1.el7.s390x.rpm rh-php73-php-pspell-7.3.20-1.el7.s390x.rpm rh-php73-php-recode-7.3.20-1.el7.s390x.rpm rh-php73-php-snmp-7.3.20-1.el7.s390x.rpm rh-php73-php-soap-7.3.20-1.el7.s390x.rpm rh-php73-php-xml-7.3.20-1.el7.s390x.rpm rh-php73-php-xmlrpc-7.3.20-1.el7.s390x.rpm rh-php73-php-zip-7.3.20-1.el7.s390x.rpm x86_64: rh-php73-php-7.3.20-1.el7.x86_64.rpm rh-php73-php-bcmath-7.3.20-1.el7.x86_64.rpm rh-php73-php-cli-7.3.20-1.el7.x86_64.rpm rh-php73-php-common-7.3.20-1.el7.x86_64.rpm rh-php73-php-dba-7.3.20-1.el7.x86_64.rpm rh-php73-php-dbg-7.3.20-1.el7.x86_64.rpm rh-php73-php-debuginfo-7.3.20-1.el7.x86_64.rpm rh-php73-php-devel-7.3.20-1.el7.x86_64.rpm rh-php73-php-embedded-7.3.20-1.el7.x86_64.rpm rh-php73-php-enchant-7.3.20-1.el7.x86_64.rpm rh-php73-php-fpm-7.3.20-1.el7.x86_64.rpm rh-php73-php-gd-7.3.20-1.el7.x86_64.rpm rh-php73-php-gmp-7.3.20-1.el7.x86_64.rpm rh-php73-php-intl-7.3.20-1.el7.x86_64.rpm rh-php73-php-json-7.3.20-1.el7.x86_64.rpm rh-php73-php-ldap-7.3.20-1.el7.x86_64.rpm rh-php73-php-mbstring-7.3.20-1.el7.x86_64.rpm rh-php73-php-mysqlnd-7.3.20-1.el7.x86_64.rpm rh-php73-php-odbc-7.3.20-1.el7.x86_64.rpm rh-php73-php-opcache-7.3.20-1.el7.x86_64.rpm rh-php73-php-pdo-7.3.20-1.el7.x86_64.rpm rh-php73-php-pgsql-7.3.20-1.el7.x86_64.rpm rh-php73-php-process-7.3.20-1.el7.x86_64.rpm rh-php73-php-pspell-7.3.20-1.el7.x86_64.rpm rh-php73-php-recode-7.3.20-1.el7.x86_64.rpm rh-php73-php-snmp-7.3.20-1.el7.x86_64.rpm rh-php73-php-soap-7.3.20-1.el7.x86_64.rpm rh-php73-php-xml-7.3.20-1.el7.x86_64.rpm rh-php73-php-xmlrpc-7.3.20-1.el7.x86_64.rpm rh-php73-php-zip-7.3.20-1.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6): Source: rh-php73-php-7.3.20-1.el7.src.rpm ppc64le: rh-php73-php-7.3.20-1.el7.ppc64le.rpm rh-php73-php-bcmath-7.3.20-1.el7.ppc64le.rpm rh-php73-php-cli-7.3.20-1.el7.ppc64le.rpm rh-php73-php-common-7.3.20-1.el7.ppc64le.rpm rh-php73-php-dba-7.3.20-1.el7.ppc64le.rpm rh-php73-php-dbg-7.3.20-1.el7.ppc64le.rpm rh-php73-php-debuginfo-7.3.20-1.el7.ppc64le.rpm rh-php73-php-devel-7.3.20-1.el7.ppc64le.rpm rh-php73-php-embedded-7.3.20-1.el7.ppc64le.rpm rh-php73-php-enchant-7.3.20-1.el7.ppc64le.rpm rh-php73-php-fpm-7.3.20-1.el7.ppc64le.rpm rh-php73-php-gd-7.3.20-1.el7.ppc64le.rpm rh-php73-php-gmp-7.3.20-1.el7.ppc64le.rpm rh-php73-php-intl-7.3.20-1.el7.ppc64le.rpm rh-php73-php-json-7.3.20-1.el7.ppc64le.rpm rh-php73-php-ldap-7.3.20-1.el7.ppc64le.rpm rh-php73-php-mbstring-7.3.20-1.el7.ppc64le.rpm rh-php73-php-mysqlnd-7.3.20-1.el7.ppc64le.rpm rh-php73-php-odbc-7.3.20-1.el7.ppc64le.rpm rh-php73-php-opcache-7.3.20-1.el7.ppc64le.rpm rh-php73-php-pdo-7.3.20-1.el7.ppc64le.rpm rh-php73-php-pgsql-7.3.20-1.el7.ppc64le.rpm rh-php73-php-process-7.3.20-1.el7.ppc64le.rpm rh-php73-php-pspell-7.3.20-1.el7.ppc64le.rpm rh-php73-php-recode-7.3.20-1.el7.ppc64le.rpm rh-php73-php-snmp-7.3.20-1.el7.ppc64le.rpm rh-php73-php-soap-7.3.20-1.el7.ppc64le.rpm rh-php73-php-xml-7.3.20-1.el7.ppc64le.rpm rh-php73-php-xmlrpc-7.3.20-1.el7.ppc64le.rpm rh-php73-php-zip-7.3.20-1.el7.ppc64le.rpm s390x: rh-php73-php-7.3.20-1.el7.s390x.rpm rh-php73-php-bcmath-7.3.20-1.el7.s390x.rpm rh-php73-php-cli-7.3.20-1.el7.s390x.rpm rh-php73-php-common-7.3.20-1.el7.s390x.rpm rh-php73-php-dba-7.3.20-1.el7.s390x.rpm rh-php73-php-dbg-7.3.20-1.el7.s390x.rpm rh-php73-php-debuginfo-7.3.20-1.el7.s390x.rpm rh-php73-php-devel-7.3.20-1.el7.s390x.rpm rh-php73-php-embedded-7.3.20-1.el7.s390x.rpm rh-php73-php-enchant-7.3.20-1.el7.s390x.rpm rh-php73-php-fpm-7.3.20-1.el7.s390x.rpm rh-php73-php-gd-7.3.20-1.el7.s390x.rpm rh-php73-php-gmp-7.3.20-1.el7.s390x.rpm rh-php73-php-intl-7.3.20-1.el7.s390x.rpm rh-php73-php-json-7.3.20-1.el7.s390x.rpm rh-php73-php-ldap-7.3.20-1.el7.s390x.rpm rh-php73-php-mbstring-7.3.20-1.el7.s390x.rpm rh-php73-php-mysqlnd-7.3.20-1.el7.s390x.rpm rh-php73-php-odbc-7.3.20-1.el7.s390x.rpm rh-php73-php-opcache-7.3.20-1.el7.s390x.rpm rh-php73-php-pdo-7.3.20-1.el7.s390x.rpm rh-php73-php-pgsql-7.3.20-1.el7.s390x.rpm rh-php73-php-process-7.3.20-1.el7.s390x.rpm rh-php73-php-pspell-7.3.20-1.el7.s390x.rpm rh-php73-php-recode-7.3.20-1.el7.s390x.rpm rh-php73-php-snmp-7.3.20-1.el7.s390x.rpm rh-php73-php-soap-7.3.20-1.el7.s390x.rpm rh-php73-php-xml-7.3.20-1.el7.s390x.rpm rh-php73-php-xmlrpc-7.3.20-1.el7.s390x.rpm rh-php73-php-zip-7.3.20-1.el7.s390x.rpm x86_64: rh-php73-php-7.3.20-1.el7.x86_64.rpm rh-php73-php-bcmath-7.3.20-1.el7.x86_64.rpm rh-php73-php-cli-7.3.20-1.el7.x86_64.rpm rh-php73-php-common-7.3.20-1.el7.x86_64.rpm rh-php73-php-dba-7.3.20-1.el7.x86_64.rpm rh-php73-php-dbg-7.3.20-1.el7.x86_64.rpm rh-php73-php-debuginfo-7.3.20-1.el7.x86_64.rpm rh-php73-php-devel-7.3.20-1.el7.x86_64.rpm rh-php73-php-embedded-7.3.20-1.el7.x86_64.rpm rh-php73-php-enchant-7.3.20-1.el7.x86_64.rpm rh-php73-php-fpm-7.3.20-1.el7.x86_64.rpm rh-php73-php-gd-7.3.20-1.el7.x86_64.rpm rh-php73-php-gmp-7.3.20-1.el7.x86_64.rpm rh-php73-php-intl-7.3.20-1.el7.x86_64.rpm rh-php73-php-json-7.3.20-1.el7.x86_64.rpm rh-php73-php-ldap-7.3.20-1.el7.x86_64.rpm rh-php73-php-mbstring-7.3.20-1.el7.x86_64.rpm rh-php73-php-mysqlnd-7.3.20-1.el7.x86_64.rpm rh-php73-php-odbc-7.3.20-1.el7.x86_64.rpm rh-php73-php-opcache-7.3.20-1.el7.x86_64.rpm rh-php73-php-pdo-7.3.20-1.el7.x86_64.rpm rh-php73-php-pgsql-7.3.20-1.el7.x86_64.rpm rh-php73-php-process-7.3.20-1.el7.x86_64.rpm rh-php73-php-pspell-7.3.20-1.el7.x86_64.rpm rh-php73-php-recode-7.3.20-1.el7.x86_64.rpm rh-php73-php-snmp-7.3.20-1.el7.x86_64.rpm rh-php73-php-soap-7.3.20-1.el7.x86_64.rpm rh-php73-php-xml-7.3.20-1.el7.x86_64.rpm rh-php73-php-xmlrpc-7.3.20-1.el7.x86_64.rpm rh-php73-php-zip-7.3.20-1.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7): Source: rh-php73-php-7.3.20-1.el7.src.rpm ppc64le: rh-php73-php-7.3.20-1.el7.ppc64le.rpm rh-php73-php-bcmath-7.3.20-1.el7.ppc64le.rpm rh-php73-php-cli-7.3.20-1.el7.ppc64le.rpm rh-php73-php-common-7.3.20-1.el7.ppc64le.rpm rh-php73-php-dba-7.3.20-1.el7.ppc64le.rpm rh-php73-php-dbg-7.3.20-1.el7.ppc64le.rpm rh-php73-php-debuginfo-7.3.20-1.el7.ppc64le.rpm rh-php73-php-devel-7.3.20-1.el7.ppc64le.rpm rh-php73-php-embedded-7.3.20-1.el7.ppc64le.rpm rh-php73-php-enchant-7.3.20-1.el7.ppc64le.rpm rh-php73-php-fpm-7.3.20-1.el7.ppc64le.rpm rh-php73-php-gd-7.3.20-1.el7.ppc64le.rpm rh-php73-php-gmp-7.3.20-1.el7.ppc64le.rpm rh-php73-php-intl-7.3.20-1.el7.ppc64le.rpm rh-php73-php-json-7.3.20-1.el7.ppc64le.rpm rh-php73-php-ldap-7.3.20-1.el7.ppc64le.rpm rh-php73-php-mbstring-7.3.20-1.el7.ppc64le.rpm rh-php73-php-mysqlnd-7.3.20-1.el7.ppc64le.rpm rh-php73-php-odbc-7.3.20-1.el7.ppc64le.rpm rh-php73-php-opcache-7.3.20-1.el7.ppc64le.rpm rh-php73-php-pdo-7.3.20-1.el7.ppc64le.rpm rh-php73-php-pgsql-7.3.20-1.el7.ppc64le.rpm rh-php73-php-process-7.3.20-1.el7.ppc64le.rpm rh-php73-php-pspell-7.3.20-1.el7.ppc64le.rpm rh-php73-php-recode-7.3.20-1.el7.ppc64le.rpm rh-php73-php-snmp-7.3.20-1.el7.ppc64le.rpm rh-php73-php-soap-7.3.20-1.el7.ppc64le.rpm rh-php73-php-xml-7.3.20-1.el7.ppc64le.rpm rh-php73-php-xmlrpc-7.3.20-1.el7.ppc64le.rpm rh-php73-php-zip-7.3.20-1.el7.ppc64le.rpm s390x: rh-php73-php-7.3.20-1.el7.s390x.rpm rh-php73-php-bcmath-7.3.20-1.el7.s390x.rpm rh-php73-php-cli-7.3.20-1.el7.s390x.rpm rh-php73-php-common-7.3.20-1.el7.s390x.rpm rh-php73-php-dba-7.3.20-1.el7.s390x.rpm rh-php73-php-dbg-7.3.20-1.el7.s390x.rpm rh-php73-php-debuginfo-7.3.20-1.el7.s390x.rpm rh-php73-php-devel-7.3.20-1.el7.s390x.rpm rh-php73-php-embedded-7.3.20-1.el7.s390x.rpm rh-php73-php-enchant-7.3.20-1.el7.s390x.rpm rh-php73-php-fpm-7.3.20-1.el7.s390x.rpm rh-php73-php-gd-7.3.20-1.el7.s390x.rpm rh-php73-php-gmp-7.3.20-1.el7.s390x.rpm rh-php73-php-intl-7.3.20-1.el7.s390x.rpm rh-php73-php-json-7.3.20-1.el7.s390x.rpm rh-php73-php-ldap-7.3.20-1.el7.s390x.rpm rh-php73-php-mbstring-7.3.20-1.el7.s390x.rpm rh-php73-php-mysqlnd-7.3.20-1.el7.s390x.rpm rh-php73-php-odbc-7.3.20-1.el7.s390x.rpm rh-php73-php-opcache-7.3.20-1.el7.s390x.rpm rh-php73-php-pdo-7.3.20-1.el7.s390x.rpm rh-php73-php-pgsql-7.3.20-1.el7.s390x.rpm rh-php73-php-process-7.3.20-1.el7.s390x.rpm rh-php73-php-pspell-7.3.20-1.el7.s390x.rpm rh-php73-php-recode-7.3.20-1.el7.s390x.rpm rh-php73-php-snmp-7.3.20-1.el7.s390x.rpm rh-php73-php-soap-7.3.20-1.el7.s390x.rpm rh-php73-php-xml-7.3.20-1.el7.s390x.rpm rh-php73-php-xmlrpc-7.3.20-1.el7.s390x.rpm rh-php73-php-zip-7.3.20-1.el7.s390x.rpm x86_64: rh-php73-php-7.3.20-1.el7.x86_64.rpm rh-php73-php-bcmath-7.3.20-1.el7.x86_64.rpm rh-php73-php-cli-7.3.20-1.el7.x86_64.rpm rh-php73-php-common-7.3.20-1.el7.x86_64.rpm rh-php73-php-dba-7.3.20-1.el7.x86_64.rpm rh-php73-php-dbg-7.3.20-1.el7.x86_64.rpm rh-php73-php-debuginfo-7.3.20-1.el7.x86_64.rpm rh-php73-php-devel-7.3.20-1.el7.x86_64.rpm rh-php73-php-embedded-7.3.20-1.el7.x86_64.rpm rh-php73-php-enchant-7.3.20-1.el7.x86_64.rpm rh-php73-php-fpm-7.3.20-1.el7.x86_64.rpm rh-php73-php-gd-7.3.20-1.el7.x86_64.rpm rh-php73-php-gmp-7.3.20-1.el7.x86_64.rpm rh-php73-php-intl-7.3.20-1.el7.x86_64.rpm rh-php73-php-json-7.3.20-1.el7.x86_64.rpm rh-php73-php-ldap-7.3.20-1.el7.x86_64.rpm rh-php73-php-mbstring-7.3.20-1.el7.x86_64.rpm rh-php73-php-mysqlnd-7.3.20-1.el7.x86_64.rpm rh-php73-php-odbc-7.3.20-1.el7.x86_64.rpm rh-php73-php-opcache-7.3.20-1.el7.x86_64.rpm rh-php73-php-pdo-7.3.20-1.el7.x86_64.rpm rh-php73-php-pgsql-7.3.20-1.el7.x86_64.rpm rh-php73-php-process-7.3.20-1.el7.x86_64.rpm rh-php73-php-pspell-7.3.20-1.el7.x86_64.rpm rh-php73-php-recode-7.3.20-1.el7.x86_64.rpm rh-php73-php-snmp-7.3.20-1.el7.x86_64.rpm rh-php73-php-soap-7.3.20-1.el7.x86_64.rpm rh-php73-php-xml-7.3.20-1.el7.x86_64.rpm rh-php73-php-xmlrpc-7.3.20-1.el7.x86_64.rpm rh-php73-php-zip-7.3.20-1.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7): Source: rh-php73-php-7.3.20-1.el7.src.rpm x86_64: rh-php73-php-7.3.20-1.el7.x86_64.rpm rh-php73-php-bcmath-7.3.20-1.el7.x86_64.rpm rh-php73-php-cli-7.3.20-1.el7.x86_64.rpm rh-php73-php-common-7.3.20-1.el7.x86_64.rpm rh-php73-php-dba-7.3.20-1.el7.x86_64.rpm rh-php73-php-dbg-7.3.20-1.el7.x86_64.rpm rh-php73-php-debuginfo-7.3.20-1.el7.x86_64.rpm rh-php73-php-devel-7.3.20-1.el7.x86_64.rpm rh-php73-php-embedded-7.3.20-1.el7.x86_64.rpm rh-php73-php-enchant-7.3.20-1.el7.x86_64.rpm rh-php73-php-fpm-7.3.20-1.el7.x86_64.rpm rh-php73-php-gd-7.3.20-1.el7.x86_64.rpm rh-php73-php-gmp-7.3.20-1.el7.x86_64.rpm rh-php73-php-intl-7.3.20-1.el7.x86_64.rpm rh-php73-php-json-7.3.20-1.el7.x86_64.rpm rh-php73-php-ldap-7.3.20-1.el7.x86_64.rpm rh-php73-php-mbstring-7.3.20-1.el7.x86_64.rpm rh-php73-php-mysqlnd-7.3.20-1.el7.x86_64.rpm rh-php73-php-odbc-7.3.20-1.el7.x86_64.rpm rh-php73-php-opcache-7.3.20-1.el7.x86_64.rpm rh-php73-php-pdo-7.3.20-1.el7.x86_64.rpm rh-php73-php-pgsql-7.3.20-1.el7.x86_64.rpm rh-php73-php-process-7.3.20-1.el7.x86_64.rpm rh-php73-php-pspell-7.3.20-1.el7.x86_64.rpm rh-php73-php-recode-7.3.20-1.el7.x86_64.rpm rh-php73-php-snmp-7.3.20-1.el7.x86_64.rpm rh-php73-php-soap-7.3.20-1.el7.x86_64.rpm rh-php73-php-xml-7.3.20-1.el7.x86_64.rpm rh-php73-php-xmlrpc-7.3.20-1.el7.x86_64.rpm rh-php73-php-zip-7.3.20-1.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-11045 https://access.redhat.com/security/cve/CVE-2019-11047 https://access.redhat.com/security/cve/CVE-2019-11048 https://access.redhat.com/security/cve/CVE-2019-11050 https://access.redhat.com/security/cve/CVE-2019-19203 https://access.redhat.com/security/cve/CVE-2019-19204 https://access.redhat.com/security/cve/CVE-2019-19246 https://access.redhat.com/security/cve/CVE-2020-7059 https://access.redhat.com/security/cve/CVE-2020-7060 https://access.redhat.com/security/cve/CVE-2020-7062 https://access.redhat.com/security/cve/CVE-2020-7063 https://access.redhat.com/security/cve/CVE-2020-7064 https://access.redhat.com/security/cve/CVE-2020-7065 https://access.redhat.com/security/cve/CVE-2020-7066 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_software_collections/3/html/3.6_release_notes/ 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX8Y0i9zjgjWX9erEAQg0Fw/8DpkMHPAzp4Tb6ym275eMnlcICweGyFtw becOAQt6d3zo6+1fQ7TvsDhciqoSppofF1z4i1HKRZlvsrkzmPkzXfBh0Z1M99YQ KUsvTcbQ9fd5AzHzkVIQ1NL9Qvhl8We0DL/WEiz6ob3yczwgZAz7yVq+dl7IkfoI 6G/lbIT0g5C9OPpma+KPw2mB1fiaGnPp5+i3o1srMYOcqqd8oWDWOQZJVB1TlkEH rcPfqKdlrwIl2gu9LlGw8leNS0392lsd8UOaVt8rjsW5wdPAZno8rCFp+TMXymJ0 D1FlsrWwsc89QPgeJd13cc487nJnIos8bRxTDsJL/pQdyhIYNLGA7dA20YdMElDh viPblEXhfwRMHeSgTUUTU4dvNk6DiGQWigiNh2973EgYDTxA2AGvLo2ygfFXCVGi EWcECya+Cz+G0/IaJPE1ohnVqdfdrDVncOFNmfdQ6QvDZaoZyqi37UubtA+JB1qC 5f1j9vtfWTMRpkCqmF/94WQ81h2401lqHz6yWlbn2DOALN/R8Cso5mLwwd/9cWLo RwIpTvHOFY++tzoh8Mn9WDaMNkPkf39n30BDtKQA4XG53vo3/RZHmpkmwxy4UVgB gGP537Uy95zumCJMFRsKvkqTg62O6AEOneydtZT/yYGiF9uhHBboTorij+aD7LN4 0afoNZ3Sfdc\xaaB8 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . 8) - aarch64, noarch, ppc64le, s390x, x86_64 3. For the stable distribution (buster), these problems have been fixed in version 7.3.14-1~deb10u1. We recommend that you upgrade your php7.3 packages. For the detailed security status of php7.3 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/php7.3 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl5K+WQACgkQEMKTtsN8 TjZA/xAAkC1VQPZceCr4L9w2SuZ3tqxhxtQudPw8NcH7kSZtrvFnFOYvqKTj/wNV wtHcx4TMZRPYWu+Pzl2WN7B+H++4PtvNDyUmyrwOycOIBnPrRRp9bmtTrs6Dzmm4 M/y2G5PYVGHxeilQWLKiOKX/EL/7EFjjEZq19DyujBGlOZsj3jGDAxtpGn510Q2d 94c2fa1hCBp8u0HGMcCQ632+bK6JS79JixzkkuGlWiih+2H94Qdwm3saiNt3ey/N QT7tiFsdPWwWUOuT4G6GYrpL0vOw+idm9OClfOAufaZOosgIbL/oUPtMtq7Gb7la ILxU1KbaLMX0vOszycpIP04AEBPETCKxvDuHNLKTGNaE6GQjIjDkSTIH0hGDeaeX gCrRosPh0jmI5M158dJrUPkC5JZpsX/WJWGmNnJ5DvCBMlQtaloVBP4eLXlda8fB 743tDdFlaiD6mC0aGMfXp54yTD3/0J2ENmZ8Rx+YEuTr7/7P1Ia8o2HiIoGE4URf AU4uQ1YjI6bhXo8muN29449vo/5yciVhH3EikHvGtdMAd7c2wD6GxDjpKj2ZWOF8 flI6DcATW+8rq9+dICZOtA0vgxTZb4iPzj4CXoqzfDg+JH5U2AGKQWY/650UIwOX Q2kshwrrFxQUml8AfiL68OJww4MkBmUb9fbwmgBg0pNASigWJa4=EPNV -----END PGP SIGNATURE----- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202003-57 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: PHP: Multiple vulnerabilities Date: March 26, 2020 Bugs: #671872, #706168, #710304, #713484 ID: 202003-57 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in PHP, the worst of which could result in the execution of arbitrary shell commands. Background ========== PHP is an open source general-purpose scripting language that is especially suited for web development. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All PHP 7.2.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/php-7.2.29" All PHP 7.3.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/php-7.3.16" All PHP 7.4.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/php-7.4.4" References ========== [ 1 ] CVE-2018-19518 https://nvd.nist.gov/vuln/detail/CVE-2018-19518 [ 2 ] CVE-2020-7059 https://nvd.nist.gov/vuln/detail/CVE-2020-7059 [ 3 ] CVE-2020-7060 https://nvd.nist.gov/vuln/detail/CVE-2020-7060 [ 4 ] CVE-2020-7061 https://nvd.nist.gov/vuln/detail/CVE-2020-7061 [ 5 ] CVE-2020-7062 https://nvd.nist.gov/vuln/detail/CVE-2020-7062 [ 6 ] CVE-2020-7063 https://nvd.nist.gov/vuln/detail/CVE-2020-7063 [ 7 ] CVE-2020-7064 https://nvd.nist.gov/vuln/detail/CVE-2020-7064 [ 8 ] CVE-2020-7065 https://nvd.nist.gov/vuln/detail/CVE-2020-7065 [ 9 ] CVE-2020-7066 https://nvd.nist.gov/vuln/detail/CVE-2020-7066 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202003-57 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2020 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 . ========================================================================== Ubuntu Security Notice USN-4279-2 February 19, 2020 php7.0 regression ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 LTS Summary: USN-4279-1 introduced a regression in PHP. The updated packages caused a regression. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that PHP incorrectly handled certain scripts. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 12.04 ESM, Ubuntu 14.04 ESM and Ubuntu 16.04 LTS. (CVE-2015-9253) It was discovered that PHP incorrectly handled certain inputs. An attacker could possibly use this issue to expose sensitive information. (CVE-2020-7059) It was discovered that PHP incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 19.10. (CVE-2020-7060) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS: libapache2-mod-php7.0 7.0.33-0ubuntu0.16.04.12 php7.0-cgi 7.0.33-0ubuntu0.16.04.12 php7.0-cli 7.0.33-0ubuntu0.16.04.12 php7.0-fpm 7.0.33-0ubuntu0.16.04.12 In general, a standard system update will make all the necessary changes

Trust: 2.43

sources: NVD: CVE-2020-7060 // JVNDB: JVNDB-2020-001730 // VULHUB: VHN-185185 // VULMON: CVE-2020-7060 // PACKETSTORM: 156397 // PACKETSTORM: 160292 // PACKETSTORM: 159094 // PACKETSTORM: 156399 // PACKETSTORM: 156934 // PACKETSTORM: 156441 // PACKETSTORM: 156423

AFFECTED PRODUCTS

vendor:phpmodel:phpscope:ltversion:7.4.2

Trust: 1.0

vendor:oraclemodel:communications diameter signaling routerscope:gteversion:8.0

Trust: 1.0

vendor:phpmodel:phpscope:ltversion:7.2.27

Trust: 1.0

vendor:phpmodel:phpscope:ltversion:7.3.14

Trust: 1.0

vendor:oraclemodel:communications diameter signaling routerscope:lteversion:8.4

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:8.0

Trust: 1.0

vendor:phpmodel:phpscope:gteversion:7.2.0

Trust: 1.0

vendor:opensusemodel:leapscope:eqversion:15.1

Trust: 1.0

vendor:tenablemodel:tenable.scscope:ltversion:5.19.0

Trust: 1.0

vendor:phpmodel:phpscope:gteversion:7.4.0

Trust: 1.0

vendor:phpmodel:phpscope:gteversion:7.3.0

Trust: 1.0

vendor:the php groupmodel:phpscope:eqversion:7.2.27

Trust: 0.8

vendor:the php groupmodel:phpscope:eqversion:7.3.14

Trust: 0.8

vendor:the php groupmodel:phpscope:eqversion:7.4.2

Trust: 0.8

sources: JVNDB: JVNDB-2020-001730 // NVD: CVE-2020-7060

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-7060
value: CRITICAL

Trust: 1.0

security@php.net: CVE-2020-7060
value: MEDIUM

Trust: 1.0

NVD: JVNDB-2020-001730
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-202002-315
value: CRITICAL

Trust: 0.6

VULHUB: VHN-185185
value: MEDIUM

Trust: 0.1

VULMON: CVE-2020-7060
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-7060
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

NVD: JVNDB-2020-001730
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-185185
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-7060
baseSeverity: CRITICAL
baseScore: 9.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.2
version: 3.1

Trust: 1.0

security@php.net: CVE-2020-7060
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: LOW
exploitabilityScore: 3.9
impactScore: 2.5
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-001730
baseSeverity: CRITICAL
baseScore: 9.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-185185 // VULMON: CVE-2020-7060 // JVNDB: JVNDB-2020-001730 // CNNVD: CNNVD-202002-315 // NVD: CVE-2020-7060 // NVD: CVE-2020-7060

PROBLEMTYPE DATA

problemtype:CWE-125

Trust: 1.9

sources: VULHUB: VHN-185185 // JVNDB: JVNDB-2020-001730 // NVD: CVE-2020-7060

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202002-315

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-202002-315

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-001730

PATCH

title:Sec Bug #79037url:https://bugs.php.net/bug.php?id=79037

Trust: 0.8

title:PHP mbstring Buffer error vulnerability fixurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=109491

Trust: 0.6

title:Ubuntu Security Notice: php5, php7.0, php7.2, php7.3 vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-4279-1

Trust: 0.1

title:Ubuntu Security Notice: php7.0 regressionurl:https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-4279-2

Trust: 0.1

title:Amazon Linux AMI: ALAS-2020-1347url:https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami&qid=ALAS-2020-1347

Trust: 0.1

title:Amazon Linux AMI: ALAS-2020-1346url:https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami&qid=ALAS-2020-1346

Trust: 0.1

title:Red Hat: Moderate: rh-php73-php security, bug fix, and enhancement updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20205275 - Security Advisory

Trust: 0.1

title:Debian Security Advisories: DSA-4628-1 php7.0 -- security updateurl:https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories&qid=688741de46e2d16edb2da10e1d501450

Trust: 0.1

title:Red Hat: Moderate: php:7.3 security, bug fix, and enhancement updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20203662 - Security Advisory

Trust: 0.1

title:Debian Security Advisories: DSA-4626-1 php7.3 -- security updateurl:https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories&qid=66162fd32170228a0805fd7114196e44

Trust: 0.1

title:Tenable Security Advisories: [R1] Tenable.sc 5.19.0 Fixes Multiple Third-party Vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=tenable_security_advisories&qid=TNS-2021-14

Trust: 0.1

sources: VULMON: CVE-2020-7060 // JVNDB: JVNDB-2020-001730 // CNNVD: CNNVD-202002-315

EXTERNAL IDS

db:NVDid:CVE-2020-7060

Trust: 3.3

db:TENABLEid:TNS-2021-14

Trust: 1.7

db:PACKETSTORMid:160292

Trust: 0.8

db:PACKETSTORMid:159094

Trust: 0.8

db:JVNDBid:JVNDB-2020-001730

Trust: 0.8

db:CNNVDid:CNNVD-202002-315

Trust: 0.7

db:PACKETSTORMid:156399

Trust: 0.7

db:PACKETSTORMid:156934

Trust: 0.7

db:PACKETSTORMid:156441

Trust: 0.7

db:PACKETSTORMid:156423

Trust: 0.7

db:AUSCERTid:ESB-2022.6056

Trust: 0.6

db:AUSCERTid:ESB-2020.4262

Trust: 0.6

db:AUSCERTid:ESB-2020.0741

Trust: 0.6

db:AUSCERTid:ESB-2020.0748

Trust: 0.6

db:AUSCERTid:ESB-2020.0566

Trust: 0.6

db:AUSCERTid:ESB-2020.0584

Trust: 0.6

db:AUSCERTid:ESB-2020.3072

Trust: 0.6

db:AUSCERTid:ESB-2020.0853

Trust: 0.6

db:AUSCERTid:ESB-2020.4296

Trust: 0.6

db:AUSCERTid:ESB-2021.2515

Trust: 0.6

db:CS-HELPid:SB2021072292

Trust: 0.6

db:CNVDid:CNVD-2020-14917

Trust: 0.1

db:VULHUBid:VHN-185185

Trust: 0.1

db:VULMONid:CVE-2020-7060

Trust: 0.1

db:PACKETSTORMid:156397

Trust: 0.1

sources: VULHUB: VHN-185185 // VULMON: CVE-2020-7060 // JVNDB: JVNDB-2020-001730 // PACKETSTORM: 156397 // PACKETSTORM: 160292 // PACKETSTORM: 159094 // PACKETSTORM: 156399 // PACKETSTORM: 156934 // PACKETSTORM: 156441 // PACKETSTORM: 156423 // CNNVD: CNNVD-202002-315 // NVD: CVE-2020-7060

REFERENCES

url:https://www.debian.org/security/2020/dsa-4628

Trust: 2.4

url:https://www.oracle.com/security-alerts/cpujul2020.html

Trust: 2.4

url:https://nvd.nist.gov/vuln/detail/cve-2020-7060

Trust: 2.1

url:https://security.gentoo.org/glsa/202003-57

Trust: 1.9

url:https://usn.ubuntu.com/4279-1/

Trust: 1.9

url:https://seclists.org/bugtraq/2020/feb/27

Trust: 1.8

url:https://seclists.org/bugtraq/2020/feb/31

Trust: 1.8

url:https://seclists.org/bugtraq/2021/jan/3

Trust: 1.8

url:https://security.netapp.com/advisory/ntap-20200221-0002/

Trust: 1.8

url:https://www.debian.org/security/2020/dsa-4626

Trust: 1.8

url:https://bugs.php.net/bug.php?id=79037

Trust: 1.8

url:https://www.oracle.com/security-alerts/cpuapr2021.html

Trust: 1.8

url:https://lists.debian.org/debian-lts-announce/2020/02/msg00030.html

Trust: 1.8

url:http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00023.html

Trust: 1.8

url:https://www.tenable.com/security/tns-2021-14

Trust: 1.7

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-7060

Trust: 0.8

url:https://access.redhat.com/security/cve/cve-2020-7060

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2020-7059

Trust: 0.7

url:https://www.auscert.org.au/bulletins/esb-2020.4262/

Trust: 0.6

url:https://packetstormsecurity.com/files/156423/debian-security-advisory-4628-1.html

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.0748/

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021072292

Trust: 0.6

url:https://packetstormsecurity.com/files/156441/ubuntu-security-notice-usn-4279-2.html

Trust: 0.6

url:https://packetstormsecurity.com/files/159094/red-hat-security-advisory-2020-3662-01.html

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.2515

Trust: 0.6

url:https://packetstormsecurity.com/files/160292/red-hat-security-advisory-2020-5275-01.html

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.0566/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.0741/

Trust: 0.6

url:https://packetstormsecurity.com/files/156934/gentoo-linux-security-advisory-202003-57.html

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.0853/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.4296/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.0584/

Trust: 0.6

url:https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impacted-by-vulnerabilities-in-php-cve-2020-7069-cve-2020-7059-2/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.3072/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.6056

Trust: 0.6

url:https://vigilance.fr/vulnerability/php-multiple-vulnerabilities-31420

Trust: 0.6

url:https://packetstormsecurity.com/files/156399/debian-security-advisory-4626-1.html

Trust: 0.6

url:https://nvd.nist.gov/vuln/detail/cve-2019-11045

Trust: 0.4

url:https://nvd.nist.gov/vuln/detail/cve-2019-11047

Trust: 0.4

url:https://nvd.nist.gov/vuln/detail/cve-2019-11050

Trust: 0.4

url:https://nvd.nist.gov/vuln/detail/cve-2020-7065

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2020-7062

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2020-7064

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2020-7066

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2020-7063

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2015-9253

Trust: 0.2

url:https://usn.ubuntu.com/4279-1

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2019-11050

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2019-19203

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2020-7059

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2019-11045

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2020-7066

Trust: 0.2

url:https://access.redhat.com/articles/11258

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2020-7065

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2019-11047

Trust: 0.2

url:https://access.redhat.com/security/team/contact/

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2019-19203

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2019-19204

Trust: 0.2

url:https://www.redhat.com/mailman/listinfo/rhsa-announce

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2020-7063

Trust: 0.2

url:https://bugzilla.redhat.com/):

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2019-19246

Trust: 0.2

url:https://access.redhat.com/security/updates/classification/#moderate

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2019-11048

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2019-11048

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2019-19204

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2020-7064

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2019-19246

Trust: 0.2

url:https://access.redhat.com/security/team/key/

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2020-7062

Trust: 0.2

url:https://www.debian.org/security/faq

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2019-11046

Trust: 0.2

url:https://www.debian.org/security/

Trust: 0.2

url:https://cwe.mitre.org/data/definitions/125.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/php7.3/7.3.11-0ubuntu0.19.10.3

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/php7.2/7.2.24-0ubuntu0.18.04.3

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/php7.0/7.0.33-0ubuntu0.16.04.11

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2020:5275

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/red_hat_software_collections/3/html/3.6_release_notes/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-11042

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-11041

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-11040

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-11040

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-11039

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-11039

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-13224

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-11042

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-13225

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-11041

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-16163

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-20454

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2020:3662

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-13225

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-13224

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-16163

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-20454

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-11049

Trust: 0.1

url:https://security-tracker.debian.org/tracker/php7.3

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-19518

Trust: 0.1

url:https://bugs.gentoo.org.

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-7061

Trust: 0.1

url:https://creativecommons.org/licenses/by-sa/2.5

Trust: 0.1

url:https://security.gentoo.org/

Trust: 0.1

url:https://usn.ubuntu.com/4279-2

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/php7.0/7.0.33-0ubuntu0.16.04.12

Trust: 0.1

url:https://security-tracker.debian.org/tracker/php7.0

Trust: 0.1

sources: VULHUB: VHN-185185 // VULMON: CVE-2020-7060 // JVNDB: JVNDB-2020-001730 // PACKETSTORM: 156397 // PACKETSTORM: 160292 // PACKETSTORM: 159094 // PACKETSTORM: 156399 // PACKETSTORM: 156934 // PACKETSTORM: 156441 // PACKETSTORM: 156423 // CNNVD: CNNVD-202002-315 // NVD: CVE-2020-7060

CREDITS

Ubuntu,Debian,Red Hat,Gentoo

Trust: 0.6

sources: CNNVD: CNNVD-202002-315

SOURCES

db:VULHUBid:VHN-185185
db:VULMONid:CVE-2020-7060
db:JVNDBid:JVNDB-2020-001730
db:PACKETSTORMid:156397
db:PACKETSTORMid:160292
db:PACKETSTORMid:159094
db:PACKETSTORMid:156399
db:PACKETSTORMid:156934
db:PACKETSTORMid:156441
db:PACKETSTORMid:156423
db:CNNVDid:CNNVD-202002-315
db:NVDid:CVE-2020-7060

LAST UPDATE DATE

2024-11-23T19:33:19.823000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-185185date:2022-07-01T00:00:00
db:VULMONid:CVE-2020-7060date:2021-07-22T00:00:00
db:JVNDBid:JVNDB-2020-001730date:2020-02-21T00:00:00
db:CNNVDid:CNNVD-202002-315date:2022-11-22T00:00:00
db:NVDid:CVE-2020-7060date:2024-11-21T05:36:35.360

SOURCES RELEASE DATE

db:VULHUBid:VHN-185185date:2020-02-10T00:00:00
db:VULMONid:CVE-2020-7060date:2020-02-10T00:00:00
db:JVNDBid:JVNDB-2020-001730date:2020-02-21T00:00:00
db:PACKETSTORMid:156397date:2020-02-18T15:04:45
db:PACKETSTORMid:160292date:2020-12-01T16:36:40
db:PACKETSTORMid:159094date:2020-09-08T18:10:32
db:PACKETSTORMid:156399date:2020-02-18T15:05:02
db:PACKETSTORMid:156934date:2020-03-27T13:06:15
db:PACKETSTORMid:156441date:2020-02-20T17:44:31
db:PACKETSTORMid:156423date:2020-02-19T15:28:10
db:CNNVDid:CNNVD-202002-315date:2020-02-10T00:00:00
db:NVDid:CVE-2020-7060date:2020-02-10T08:15:12.797