Security updates & CURLFile bug

Asked by Bug Reporter on 2020-10-13

Hi there,
I was just wondering when the fixes for the following security bugs will be incorporated. They have been fixed in the upstream releases as specified in
- CVE-2020-7070 - PHP parses encoded cookie names so malicious `__Host-` cookies can be sent
- CVE-2020-7069 - Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV
- CVE-2019-11048 - Long variables cause OOM and temp files are not cleaned, Long variables in multipart/form-data cause OOM and temp files are not cleaned
- CVE-2020-7067 - OOB Read in urldecode()
- CVE-2020-7065 - mb_strtolower (UTF-32LE): stack-buffer-overflow at php_unicode_tolower_full

We also encountered an issue with CURLFile bug as specified in that has been fixed as of v7.4.4.

Thanks in advance.

Question information

English Edit question
Ubuntu php7.4 Edit question
No assignee Edit question
Last query:
Last reply:
Manfred Hampl (m-hampl) said : #2

And for the CURLFile issue see Bug #1887826

Can you help with this problem?

Provide an answer of your own, or ask Bug Reporter for more information if necessary.

To post a message you must log in.