openSUSE-SU-2020:0080-1

Опубликовано: 20 янв. 2020

Источник: suse-cvrf

Описание

Security update for php7

This update for php7 fixes the following issues:

CVE-2019-11045: Fixed an issue with improper input validation in the filename handling of the DirectoryIterator class (bsc#1159923).
CVE-2019-11046: Fixed an information leak in bc_shift_addsub() (bsc#1159924).
CVE-2019-11047, CVE-2019-11050: Fixed multiple information leaks in exif_read_data() (bsc#1159922, bsc#1159927).

This update was imported from the SUSE:SLE-15:Update update project.

Список пакетов

openSUSE Leap 15.1

apache2-mod_php7-7.2.5-lp151.6.19.2

php7-7.2.5-lp151.6.19.2

php7-bcmath-7.2.5-lp151.6.19.2

php7-bz2-7.2.5-lp151.6.19.2

php7-calendar-7.2.5-lp151.6.19.2

php7-ctype-7.2.5-lp151.6.19.2

php7-curl-7.2.5-lp151.6.19.2

php7-dba-7.2.5-lp151.6.19.2

php7-devel-7.2.5-lp151.6.19.2

php7-dom-7.2.5-lp151.6.19.2

php7-embed-7.2.5-lp151.6.19.2

php7-enchant-7.2.5-lp151.6.19.2

php7-exif-7.2.5-lp151.6.19.2

php7-fastcgi-7.2.5-lp151.6.19.2

php7-fileinfo-7.2.5-lp151.6.19.2

php7-firebird-7.2.5-lp151.6.19.2

php7-fpm-7.2.5-lp151.6.19.2

php7-ftp-7.2.5-lp151.6.19.2

php7-gd-7.2.5-lp151.6.19.2

php7-gettext-7.2.5-lp151.6.19.2

php7-gmp-7.2.5-lp151.6.19.2

php7-iconv-7.2.5-lp151.6.19.2

php7-intl-7.2.5-lp151.6.19.2

php7-json-7.2.5-lp151.6.19.2

php7-ldap-7.2.5-lp151.6.19.2

php7-mbstring-7.2.5-lp151.6.19.2

php7-mysql-7.2.5-lp151.6.19.2

php7-odbc-7.2.5-lp151.6.19.2

php7-opcache-7.2.5-lp151.6.19.2

php7-openssl-7.2.5-lp151.6.19.2

php7-pcntl-7.2.5-lp151.6.19.2

php7-pdo-7.2.5-lp151.6.19.2

php7-pear-7.2.5-lp151.6.19.2

php7-pear-Archive_Tar-7.2.5-lp151.6.19.2

php7-pgsql-7.2.5-lp151.6.19.2

php7-phar-7.2.5-lp151.6.19.2

php7-posix-7.2.5-lp151.6.19.2

php7-readline-7.2.5-lp151.6.19.2

php7-shmop-7.2.5-lp151.6.19.2

php7-snmp-7.2.5-lp151.6.19.2

php7-soap-7.2.5-lp151.6.19.2

php7-sockets-7.2.5-lp151.6.19.2

php7-sodium-7.2.5-lp151.6.19.2

php7-sqlite-7.2.5-lp151.6.19.2

php7-sysvmsg-7.2.5-lp151.6.19.2

php7-sysvsem-7.2.5-lp151.6.19.2

php7-sysvshm-7.2.5-lp151.6.19.2

php7-test-7.2.5-lp151.6.19.2

php7-tidy-7.2.5-lp151.6.19.2

php7-tokenizer-7.2.5-lp151.6.19.2

php7-wddx-7.2.5-lp151.6.19.2

php7-xmlreader-7.2.5-lp151.6.19.2

php7-xmlrpc-7.2.5-lp151.6.19.2

php7-xmlwriter-7.2.5-lp151.6.19.2

php7-xsl-7.2.5-lp151.6.19.2

php7-zip-7.2.5-lp151.6.19.2

php7-zlib-7.2.5-lp151.6.19.2

Ссылки

https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/AJ75XT7HO4E46GU3GJ7IVL7DJR3SYG2A/
E-Mail link for openSUSE-SU-2020:0080-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1159922
SUSE Bug 1159922
https://bugzilla.suse.com/1159923
SUSE Bug 1159923
https://bugzilla.suse.com/1159924
SUSE Bug 1159924
https://bugzilla.suse.com/1159927
SUSE Bug 1159927
https://www.suse.com/security/cve/CVE-2019-11045/
SUSE CVE CVE-2019-11045 page
https://www.suse.com/security/cve/CVE-2019-11046/
SUSE CVE CVE-2019-11046 page
https://www.suse.com/security/cve/CVE-2019-11047/
SUSE CVE CVE-2019-11047 page
https://www.suse.com/security/cve/CVE-2019-11050/
SUSE CVE CVE-2019-11050 page

Описание

In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.

Затронутые продукты

openSUSE Leap 15.1:apache2-mod_php7-7.2.5-lp151.6.19.2

openSUSE Leap 15.1:php7-7.2.5-lp151.6.19.2

openSUSE Leap 15.1:php7-bcmath-7.2.5-lp151.6.19.2

openSUSE Leap 15.1:php7-bz2-7.2.5-lp151.6.19.2

Ссылки

https://www.suse.com/security/cve/CVE-2019-11045.html
CVE-2019-11045
https://bugzilla.suse.com/1159923
SUSE Bug 1159923

Описание

In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP bcmath extension functions on some systems, including Windows, can be tricked into reading beyond the allocated space by supplying it with string containing characters that are identified as numeric by the OS but aren't ASCII numbers. This can read to disclosure of the content of some memory locations.

Затронутые продукты

openSUSE Leap 15.1:apache2-mod_php7-7.2.5-lp151.6.19.2

openSUSE Leap 15.1:php7-7.2.5-lp151.6.19.2

openSUSE Leap 15.1:php7-bcmath-7.2.5-lp151.6.19.2

openSUSE Leap 15.1:php7-bz2-7.2.5-lp151.6.19.2

Ссылки

https://www.suse.com/security/cve/CVE-2019-11046.html
CVE-2019-11046
https://bugzilla.suse.com/1159924
SUSE Bug 1159924

Описание

When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.

Затронутые продукты

openSUSE Leap 15.1:apache2-mod_php7-7.2.5-lp151.6.19.2

openSUSE Leap 15.1:php7-7.2.5-lp151.6.19.2

openSUSE Leap 15.1:php7-bcmath-7.2.5-lp151.6.19.2

openSUSE Leap 15.1:php7-bz2-7.2.5-lp151.6.19.2

Ссылки

https://www.suse.com/security/cve/CVE-2019-11047.html
CVE-2019-11047
https://bugzilla.suse.com/1159922
SUSE Bug 1159922

Описание

Затронутые продукты

openSUSE Leap 15.1:apache2-mod_php7-7.2.5-lp151.6.19.2

openSUSE Leap 15.1:php7-7.2.5-lp151.6.19.2

openSUSE Leap 15.1:php7-bcmath-7.2.5-lp151.6.19.2

openSUSE Leap 15.1:php7-bz2-7.2.5-lp151.6.19.2

Ссылки

https://www.suse.com/security/cve/CVE-2019-11050.html
CVE-2019-11050
https://bugzilla.suse.com/1159927
SUSE Bug 1159927

openSUSE-SU-2020:0080-1

Описание

Список пакетов

openSUSE Leap 15.1

Ссылки

Уязвимость: CVE-2019-11045

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2019-11046

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2019-11047

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2019-11050

Описание

Затронутые продукты

Ссылки