[ubuntu/groovy-security] php7.4 7.4.9-1ubuntu1.2 (Accepted)

Marc Deslauriers marc.deslauriers at canonical.com
Wed Jul 7 11:53:23 UTC 2021


php7.4 (7.4.9-1ubuntu1.2) groovy-security; urgency=medium

  * SECURITY UPDATE: incorrect URL validation
    - debian/patches/CVE-2020-7071-1.patch: make sure userinfo is valid
      according to RFC 3986 in ext/filter/tests/bug77423.phpt,
      ext/standard/url.c.
    - debian/patches/CVE-2020-7071-2.patch: revert previous fix and use a
      better one in ext/filter/logical_filters.c,
      ext/filter/tests/bug77423.phpt, ext/standard/url.c.
    - debian/patches/CVE-2020-7071-3.patch: remove unneeded function in
      ext/standard/url.c.
    - CVE-2020-7071
  * SECURITY UPDATE: crash via malformed XML data in SOAP extension
    - debian/patches/CVE-2021-21702-1.patch: check strings in
      ext/soap/php_sdl.c, ext/soap/php_xml.c, ext/soap/tests/bug80672.phpt,
      ext/soap/tests/bug80672.xml.
    - debian/patches/CVE-2021-21702-2.patch: fix compiler warning in
      ext/soap/php_sdl.c.
    - CVE-2021-21702
  * SECURITY UPDATE: multiple issues in the pdo_firebase module
    - debian/patches/CVE-2021-21704-1.patch: prevent overflow in
      ext/pdo_firebird/firebird_statement.c.
    - debian/patches/CVE-2021-21704-2.patch: verify result_size in
      ext/pdo_firebird/firebird_statement.c.
    - debian/patches/CVE-2021-21704-3.patch: verify result_size in
      ext/pdo_firebird/firebird_driver.c.
    - debian/patches/CVE-2021-21704-4.patch: don't overflow stack in
      ext/pdo_firebird/firebird_driver.c.
    - CVE-2021-21704
  * SECURITY UPDATE: SSRF bypass
    - debian/patches/CVE-2021-21705.patch: check password in
      ext/filter/logical_filters.c, ext/filter/tests/bug81122.phpt.
    - debian/patches/CVE-2021-21705-2.patch: fix compiler warning in
      ext/filter/logical_filters.c.
    - CVE-2021-21705

Date: 2021-07-05 17:38:43.351334+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/php7.4/7.4.9-1ubuntu1.2
-------------- next part --------------
Sorry, changesfile not available.


More information about the Groovy-changes mailing list