RedHat Enterprise Linux 8: RHSA-2021-4213 Moderate: PHP 7.4 Security Issue

red hat

November 9, 2021

An update for the php:7.4 module is now available for Red Hat Enterprise Linux 8

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, the httpd daemon must be restarted for the update to take effect.

Summary

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.
The following packages have been upgraded to a later upstream version: php (7.4.19). (BZ#1944110)
Security Fix(es):
* php: Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV (CVE-2020-7069)
* php: FILTER_VALIDATE_URL accepts URLs with invalid userinfo (CVE-2020-7071)
* php: Use of freed hash key in the phar_parse_zipfile function (CVE-2020-7068)
* php: URL decoding of cookie names can lead to different interpretation of cookies between browser and server (CVE-2020-7070)
* php: NULL pointer dereference in SoapClient (CVE-2021-21702)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes linked from the References section.

Topics Covered

security advisory moderate security fix Red Hat Enterprise Linux PHP module AES-CCM URL validation

References

https://access.redhat.com/security/cve/CVE-2020-7068 https://access.redhat.com/security/cve/CVE-2020-7069 https://access.redhat.com/security/cve/CVE-2020-7070 https://access.redhat.com/security/cve/CVE-2020-7071 https://access.redhat.com/security/cve/CVE-2021-21702 https://access.redhat.com/security/updates/classification#moderate https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/8.5_release_notes/index

Package List

Red Hat Enterprise Linux AppStream (v. 8):
Source: libzip-1.6.1-1.module+el8.3.0+6678+b09f589e.src.rpm php-7.4.19-1.module+el8.5.0+11143+cc873159.src.rpm php-pear-1.10.12-1.module+el8.3.0+6678+b09f589e.src.rpm php-pecl-apcu-5.1.18-1.module+el8.3.0+6678+b09f589e.src.rpm php-pecl-rrd-2.0.1-1.module+el8.3.0+6678+b09f589e.src.rpm php-pecl-xdebug-2.9.5-1.module+el8.3.0+6678+b09f589e.src.rpm php-pecl-zip-1.18.2-1.module+el8.3.0+6678+b09f589e.src.rpm
aarch64: libzip-1.6.1-1.module+el8.3.0+6678+b09f589e.aarch64.rpm libzip-debuginfo-1.6.1-1.module+el8.3.0+6678+b09f589e.aarch64.rpm libzip-debugsource-1.6.1-1.module+el8.3.0+6678+b09f589e.aarch64.rpm libzip-devel-1.6.1-1.module+el8.3.0+6678+b09f589e.aarch64.rpm libzip-tools-1.6.1-1.module+el8.3.0+6678+b09f589e.aarch64.rpm libzip-tools-debuginfo-1.6.1-1.module+el8.3.0+6678+b09f589e.aarch64.rpm php-7.4.19-1.module+el8.5.0+11143+cc873159.aarch64.rpm php-bcmath-7.4.19-1.module+el8.5.0+11143+cc873159.aarch64.rpm php-bcmath-debuginfo-7.4.19-1.module+el8.5.0+11143+cc873159.aarch64.rpm php-cli-7.4.19-1.module+el8.5.0+11143+cc873159.aarch64.rpm php-cli-debuginfo-7.4.19-1.module+el8.5.0+11143+cc873159.aarch64.rpm php-common-7.4.19-1.module+el8.5.0+11143+cc873159.aarch64.rpm

Read the Full Advisory

Advisory ID: RHSA-2021:4213-01

Product: Red Hat Enterprise Linux

Advisory URL: https://access.redhat.com/errata/RHSA-2021:4213

Issue date: 2021-11-09

Topic

An update for the php:7.4 module is now available for Red Hat EnterpriseLinux 8.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Topics Covered

security advisory moderate security fix Red Hat Enterprise Linux PHP module AES-CCM URL validation

Relevant Releases Architectures

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

Bugs Fixed

1868109 - CVE-2020-7068 php: Use of freed hash key in the phar_parse_zipfile function

1885735 - CVE-2020-7069 php: Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV

1885738 - CVE-2020-7070 php: URL decoding of cookie names can lead to different interpretation of cookies between browser and server

1913846 - CVE-2020-7071 php: FILTER_VALIDATE_URL accepts URLs with invalid userinfo

1925272 - CVE-2021-21702 php: NULL pointer dereference in SoapClient

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

RedHat Enterprise Linux 8: RHSA-2021-4213 Moderate: PHP 7.4 Security Issue

Solution

Summary

Topics Covered

References

Package List

Topic

Topics Covered

Relevant Releases Architectures

Bugs Fixed

Get the latest News and Insights

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!

RedHat Enterprise Linux 8: RHSA-2021-4213 Moderate: PHP 7.4 Security Issue

Solution

Summary

Topics Covered

References

Package List

Topic

Topics Covered

Relevant Releases Architectures

Bugs Fixed

Get the latest News and Insights

Related Articles

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!