* [Buildroot] [PATCH 1/1] package/php: security bump to version 7.4.11
@ 2020-10-03 20:21 Fabrice Fontaine
2020-10-04 9:19 ` Peter Korsgaard
2020-10-05 6:11 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Fabrice Fontaine @ 2020-10-03 20:21 UTC (permalink / raw)
To: buildroot
- Fix CVE-2020-7069: In PHP versions 7.2.x below 7.2.34, 7.3.x below
7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with
openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the
IV is actually used. This can lead to both decreased security and
incorrect encryption data.
- Fix CVE-2020-7070: In PHP versions 7.2.x below 7.2.34, 7.3.x below
7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP
cookie values, the cookie names are url-decoded. This may lead to
cookies with prefixes like __Host confused with cookies that decode to
such prefix, thus leading to an attacker being able to forge cookie
which is supposed to be secure. See also CVE-2020-8184 for more
information.
https://www.php.net/ChangeLog-7.php#7.4.11
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
package/php/php.hash | 2 +-
package/php/php.mk | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/package/php/php.hash b/package/php/php.hash
index c383c471eb..77a0feb555 100644
--- a/package/php/php.hash
+++ b/package/php/php.hash
@@ -1,5 +1,5 @@
# From https://www.php.net/downloads.php
-sha256 c2d90b00b14284588a787b100dee54c2400e7db995b457864d66f00ad64fb010 php-7.4.10.tar.xz
+sha256 5d31675a9b9c21b5bd03389418218c30b26558246870caba8eb54f5856e2d6ce php-7.4.11.tar.xz
# License file
sha256 0967ad6cf4b7fe81d38709d7aaef3fecb3bd685be7eebb37b864aa34c991baa7 LICENSE
diff --git a/package/php/php.mk b/package/php/php.mk
index 3047bfe94d..6b528cdc33 100644
--- a/package/php/php.mk
+++ b/package/php/php.mk
@@ -4,7 +4,7 @@
#
################################################################################
-PHP_VERSION = 7.4.10
+PHP_VERSION = 7.4.11
PHP_SITE = http://www.php.net/distributions
PHP_SOURCE = php-$(PHP_VERSION).tar.xz
PHP_INSTALL_STAGING = YES
--
2.28.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH 1/1] package/php: security bump to version 7.4.11
2020-10-03 20:21 [Buildroot] [PATCH 1/1] package/php: security bump to version 7.4.11 Fabrice Fontaine
@ 2020-10-04 9:19 ` Peter Korsgaard
2020-10-05 6:11 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2020-10-04 9:19 UTC (permalink / raw)
To: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> - Fix CVE-2020-7069: In PHP versions 7.2.x below 7.2.34, 7.3.x below
> 7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with
> openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the
> IV is actually used. This can lead to both decreased security and
> incorrect encryption data.
> - Fix CVE-2020-7070: In PHP versions 7.2.x below 7.2.34, 7.3.x below
> 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP
> cookie values, the cookie names are url-decoded. This may lead to
> cookies with prefixes like __Host confused with cookies that decode to
> such prefix, thus leading to an attacker being able to forge cookie
> which is supposed to be secure. See also CVE-2020-8184 for more
> information.
> https://www.php.net/ChangeLog-7.php#7.4.11
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH 1/1] package/php: security bump to version 7.4.11
2020-10-03 20:21 [Buildroot] [PATCH 1/1] package/php: security bump to version 7.4.11 Fabrice Fontaine
2020-10-04 9:19 ` Peter Korsgaard
@ 2020-10-05 6:11 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2020-10-05 6:11 UTC (permalink / raw)
To: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> - Fix CVE-2020-7069: In PHP versions 7.2.x below 7.2.34, 7.3.x below
> 7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with
> openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the
> IV is actually used. This can lead to both decreased security and
> incorrect encryption data.
> - Fix CVE-2020-7070: In PHP versions 7.2.x below 7.2.34, 7.3.x below
> 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP
> cookie values, the cookie names are url-decoded. This may lead to
> cookies with prefixes like __Host confused with cookies that decode to
> such prefix, thus leading to an attacker being able to forge cookie
> which is supposed to be secure. See also CVE-2020-8184 for more
> information.
> https://www.php.net/ChangeLog-7.php#7.4.11
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2020.02.x, 2020.05.x and 2020.08.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-10-05 6:11 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-03 20:21 [Buildroot] [PATCH 1/1] package/php: security bump to version 7.4.11 Fabrice Fontaine
2020-10-04 9:19 ` Peter Korsgaard
2020-10-05 6:11 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.