All of lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH 1/1] package/php: security bump to version 7.4.11
@ 2020-10-03 20:21 Fabrice Fontaine
  2020-10-04  9:19 ` Peter Korsgaard
  2020-10-05  6:11 ` Peter Korsgaard
  0 siblings, 2 replies; 3+ messages in thread
From: Fabrice Fontaine @ 2020-10-03 20:21 UTC (permalink / raw)
  To: buildroot

- Fix CVE-2020-7069: In PHP versions 7.2.x below 7.2.34, 7.3.x below
  7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with
  openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the
  IV is actually used. This can lead to both decreased security and
  incorrect encryption data.
- Fix CVE-2020-7070: In PHP versions 7.2.x below 7.2.34, 7.3.x below
  7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP
  cookie values, the cookie names are url-decoded. This may lead to
  cookies with prefixes like __Host confused with cookies that decode to
  such prefix, thus leading to an attacker being able to forge cookie
  which is supposed to be secure. See also CVE-2020-8184 for more
  information.

https://www.php.net/ChangeLog-7.php#7.4.11

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/php/php.hash | 2 +-
 package/php/php.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/php/php.hash b/package/php/php.hash
index c383c471eb..77a0feb555 100644
--- a/package/php/php.hash
+++ b/package/php/php.hash
@@ -1,5 +1,5 @@
 # From https://www.php.net/downloads.php
-sha256  c2d90b00b14284588a787b100dee54c2400e7db995b457864d66f00ad64fb010  php-7.4.10.tar.xz
+sha256  5d31675a9b9c21b5bd03389418218c30b26558246870caba8eb54f5856e2d6ce  php-7.4.11.tar.xz
 
 # License file
 sha256  0967ad6cf4b7fe81d38709d7aaef3fecb3bd685be7eebb37b864aa34c991baa7  LICENSE
diff --git a/package/php/php.mk b/package/php/php.mk
index 3047bfe94d..6b528cdc33 100644
--- a/package/php/php.mk
+++ b/package/php/php.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-PHP_VERSION = 7.4.10
+PHP_VERSION = 7.4.11
 PHP_SITE = http://www.php.net/distributions
 PHP_SOURCE = php-$(PHP_VERSION).tar.xz
 PHP_INSTALL_STAGING = YES
-- 
2.28.0

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* [Buildroot] [PATCH 1/1] package/php: security bump to version 7.4.11
  2020-10-03 20:21 [Buildroot] [PATCH 1/1] package/php: security bump to version 7.4.11 Fabrice Fontaine
@ 2020-10-04  9:19 ` Peter Korsgaard
  2020-10-05  6:11 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2020-10-04  9:19 UTC (permalink / raw)
  To: buildroot

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > - Fix CVE-2020-7069: In PHP versions 7.2.x below 7.2.34, 7.3.x below
 >   7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with
 >   openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the
 >   IV is actually used. This can lead to both decreased security and
 >   incorrect encryption data.
 > - Fix CVE-2020-7070: In PHP versions 7.2.x below 7.2.34, 7.3.x below
 >   7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP
 >   cookie values, the cookie names are url-decoded. This may lead to
 >   cookies with prefixes like __Host confused with cookies that decode to
 >   such prefix, thus leading to an attacker being able to forge cookie
 >   which is supposed to be secure. See also CVE-2020-8184 for more
 >   information.

 > https://www.php.net/ChangeLog-7.php#7.4.11

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed, thanks.

-- 
Bye, Peter Korsgaard

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [Buildroot] [PATCH 1/1] package/php: security bump to version 7.4.11
  2020-10-03 20:21 [Buildroot] [PATCH 1/1] package/php: security bump to version 7.4.11 Fabrice Fontaine
  2020-10-04  9:19 ` Peter Korsgaard
@ 2020-10-05  6:11 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2020-10-05  6:11 UTC (permalink / raw)
  To: buildroot

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > - Fix CVE-2020-7069: In PHP versions 7.2.x below 7.2.34, 7.3.x below
 >   7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with
 >   openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the
 >   IV is actually used. This can lead to both decreased security and
 >   incorrect encryption data.
 > - Fix CVE-2020-7070: In PHP versions 7.2.x below 7.2.34, 7.3.x below
 >   7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP
 >   cookie values, the cookie names are url-decoded. This may lead to
 >   cookies with prefixes like __Host confused with cookies that decode to
 >   such prefix, thus leading to an attacker being able to forge cookie
 >   which is supposed to be secure. See also CVE-2020-8184 for more
 >   information.

 > https://www.php.net/ChangeLog-7.php#7.4.11

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed to 2020.02.x, 2020.05.x and 2020.08.x, thanks.

-- 
Bye, Peter Korsgaard

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2020-10-05  6:11 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-03 20:21 [Buildroot] [PATCH 1/1] package/php: security bump to version 7.4.11 Fabrice Fontaine
2020-10-04  9:19 ` Peter Korsgaard
2020-10-05  6:11 ` Peter Korsgaard

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.