Security updates & CURLFile bug

Asked by Bug Reporter on 2020-10-13

Hi there,
I was just wondering when the fixes for the following security bugs will be incorporated. They have been fixed in the upstream releases as specified in https://www.php.net/ChangeLog-7.php#7.4.10
- CVE-2020-7070 - PHP parses encoded cookie names so malicious `__Host-` cookies can be sent
- CVE-2020-7069 - Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV
- CVE-2019-11048 - Long variables cause OOM and temp files are not cleaned, Long variables in multipart/form-data cause OOM and temp files are not cleaned
- CVE-2020-7067 - OOB Read in urldecode()
- CVE-2020-7065 - mb_strtolower (UTF-32LE): stack-buffer-overflow at php_unicode_tolower_full

We also encountered an issue with CURLFile bug as specified in https://bugs.php.net/bug.php?id=79013 that has been fixed as of v7.4.4.

Thanks in advance.

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu php7.4 Edit question
Assignee:
No assignee Edit question
Last query:
2020-10-13
Last reply:
2020-10-13
Manfred Hampl (m-hampl) said : #2

And for the CURLFile issue see Bug #1887826

Can you help with this problem?

Provide an answer of your own, or ask Bug Reporter for more information if necessary.

To post a message you must log in.