[ubuntu/focal-proposed] php7.4 7.4.3-4ubuntu2 (Accepted)

Leonidas S. Barbosa leo.barbosa at canonical.com
Thu Apr 16 20:43:29 UTC 2020 

php7.4 (7.4.3-4ubuntu2) focal; urgency=medium

  * SECURITY UPDATE: Read one byte of uninitialized memory
    - debian/patches/CVE-2020-7064.patch: check length in
      exif_process_TIFF_in_JPEG to avoid read uninitialized memory
      ext/exif/exif.c, ext/exif/tests/bug79282.phpt.
    - CVE-2020-7064
  * SECURITY UPDATE: Memory corruption, crash and potentially code execution
    - debian/patches/CVE-2020-7065.patch: make sure that negative values are
      properly compared in ext/mbstring/php_unicode.c,
      ext/mbstring/tests/bug70371.phpt.
    - CVE-2020-7065
  * SECURITY UPDATE: Truncated url due \0
    - debian/patches/CVE-2020-7066.patch: check for get_headers
      not accepting \0 in ext/standard/url.c.
    - CVE-2020-7066

Date: Mon, 13 Apr 2020 09:32:06 -0300
Changed-By: leo.barbosa at canonical.com (Leonidas S. Barbosa)
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Signed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/php7.4/7.4.3-4ubuntu2
-------------- next part --------------
Format: 1.8
Date: Mon, 13 Apr 2020 09:32:06 -0300
Source: php7.4
Architecture: source
Version: 7.4.3-4ubuntu2
Distribution: focal
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Leonidas S. Barbosa <leo.barbosa at canonical.com>
Changes:
 php7.4 (7.4.3-4ubuntu2) focal; urgency=medium
 .
   * SECURITY UPDATE: Read one byte of uninitialized memory
     - debian/patches/CVE-2020-7064.patch: check length in
       exif_process_TIFF_in_JPEG to avoid read uninitialized memory
       ext/exif/exif.c, ext/exif/tests/bug79282.phpt.
     - CVE-2020-7064
   * SECURITY UPDATE: Memory corruption, crash and potentially code execution
     - debian/patches/CVE-2020-7065.patch: make sure that negative values are
       properly compared in ext/mbstring/php_unicode.c,
       ext/mbstring/tests/bug70371.phpt.
     - CVE-2020-7065
   * SECURITY UPDATE: Truncated url due \0
     - debian/patches/CVE-2020-7066.patch: check for get_headers
       not accepting \0 in ext/standard/url.c.
     - CVE-2020-7066
Checksums-Sha1:
 7f2e5f35b595291aeba7ab45c9f27cdfa0c23f6a 5604 php7.4_7.4.3-4ubuntu2.dsc
 d443934b6707c6461a7f4c91d6f0a82068e2091e 66684 php7.4_7.4.3-4ubuntu2.debian.tar.xz
 b1fca71adce526868b638f65e6f8166250256b04 14850 php7.4_7.4.3-4ubuntu2_source.buildinfo
Checksums-Sha256:
 092dd059a76644c2d3673e92cbe8f09073dd600b4995aabb5ff6518af729c98d 5604 php7.4_7.4.3-4ubuntu2.dsc
 60af7906f0410830223b21ab0b20b43e19e61720e3230dbc813d7ba78e7d7568 66684 php7.4_7.4.3-4ubuntu2.debian.tar.xz
 b2553b08230416d4cfb7c223d802fd447ef14d79152a57088e1f5932df398449 14850 php7.4_7.4.3-4ubuntu2_source.buildinfo
Files:
 2f6c0588334bea5d87fd568c36ad0041 5604 php optional php7.4_7.4.3-4ubuntu2.dsc
 388f141f741f4c62d587bd101d3eafe9 66684 php optional php7.4_7.4.3-4ubuntu2.debian.tar.xz
 b72959ad23ea06c67bc47959868daf92 14850 php optional php7.4_7.4.3-4ubuntu2_source.buildinfo
Original-Maintainer: Debian PHP Maintainers <team+pkg-php at tracker.debian.org>

More information about the Focal-changes mailing list