UbuntuUpdates.org

Package "php7.2"

Name: php7.2

Description:

server-side, HTML-embedded scripting language (metapackage)

Latest version: 7.2.24-0ubuntu0.18.04.3
Release: bionic (18.04)
Level: security
Repository: main
Homepage: http://www.php.net/

Links

Save this URL for the latest version of "php7.2": https://www.ubuntuupdates.org/php7.2


Download "php7.2"


Other versions of "php7.2" in Bionic

Repository Area Version
base universe 7.2.3-1ubuntu1
security universe 7.2.24-0ubuntu0.18.04.3
updates universe 7.2.24-0ubuntu0.18.04.3
updates main 7.2.24-0ubuntu0.18.04.3

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 7.2.24-0ubuntu0.18.04.3 2020-02-17 21:06:33 UTC

  php7.2 (7.2.24-0ubuntu0.18.04.3) bionic-security; urgency=medium

  * SECURITY UPDATE: Out of bounds read
    - debian/patches/CVE-2020-7059.patch: fix OOB read in
      php_strip_tags_ex in ext/standard/string.c and added test
      ext/standard/tests/file/bug79099.phpt.
    - CVE-2020-7059
  * SECURITY UPDATE: Buffer-overflow
    - debian/patches/CVE-2020-7060.patch: fix adding a check function
      is_in_cp950_pua in ext/mbstring/libmbfl/filters/mbfilter_big5.c
      and added test ext/mbstring/tests/bug79037.phpt.
    - CVE-2020-7060

 -- <email address hidden> (Leonidas S. Barbosa) Tue, 11 Feb 2020 12:55:52 -0300

Source diff to previous version
CVE-2020-7059 When using fgetss() function to read data with stripping tags, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is pos
CVE-2020-7060 When using certain mbstring functions to convert multibyte encodings, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it

Version: 7.2.24-0ubuntu0.18.04.2 2020-01-15 14:07:06 UTC

  php7.2 (7.2.24-0ubuntu0.18.04.2) bionic-security; urgency=medium

  * SECURITY UPDATE: silently truncates
    a class after a null byte
    - debian/patches/CVE-2019-11045.patch: not accept
      arbitrary strings in ext/spl/spl_directory.c,
      ext/spl/tests/bug78863.phpt.
    - CVE-2019-11045
  * SECURITY UPDATE: Buffer underflow
    - debian/patches/CVE-2019-11046.patch: not rely on `isdigit()`
      to detect digits in ext/bcmath/libbcmath/src/str2num.c,
      ext/bcmath/tests/bug78878.phpt.
    - CVE-2019-11046
  * SECURITY UPDATE: Heap-buffer-overflow
    - debian/patches/CVE-2019-11047.patch: fix in ext/exif/exif.c,
      ext/exif/tests/bug78910.phpt.
    - CVE-2019-11047
  * SECURITY UPDATE: Use-after-free
    - debian/patches/CVE-2019-11050.patch: fix in
      ext/exif/exif.c, ext/exif/tests/bug78793.phpt.
    - CVE-2019-11050

 -- <email address hidden> (Leonidas S. Barbosa) Mon, 13 Jan 2020 15:39:59 -0300

Source diff to previous version
CVE-2019-11045 In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them
CVE-2019-11046 In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP bcmath extension functions on some systems, including Windows, can be tricked i
CVE-2019-11047 When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x belo
CVE-2019-11050 When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x belo

Version: 7.2.24-0ubuntu0.18.04.1 2019-10-28 18:06:58 UTC

  php7.2 (7.2.24-0ubuntu0.18.04.1) bionic-security; urgency=medium

  * SECURITY UPDATE: updated to 7.2.24 to fix security issue
    - CVE-2019-11043
  * Rebased patches:
    - debian/patches/0022-lp564920-fix-big-files.patch
  * Removed patches no longer required:
    - debian/patches/CVE-2019-11041.patch
    - debian/patches/CVE-2019-11042.patch

 -- Marc Deslauriers <email address hidden> Mon, 28 Oct 2019 08:07:07 -0400

Source diff to previous version
CVE-2019-11041 When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x belo
CVE-2019-11042 When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x belo

Version: 7.2.19-0ubuntu0.18.04.2 2019-08-13 19:07:14 UTC

  php7.2 (7.2.19-0ubuntu0.18.04.2) bionic-security; urgency=medium

  * SECURITY UPDATE: Heap-buffer-overflow
    - debian/patches/CVE-2019-11041.patch: check Thumbnail.size in order
      to avoid an overflow in ext/exif.exif.c and adding test to
      ext/exif/tests/bug78222.phpt.
    - CVE-2019-11041
  * SECURITY UPDATE: Heap-buffer-overflow
    - debian/patches/CVE-2019-11042.patch: check ByteCount in order to
      avoid an overflow in ext/exif/exif.c and adding tests to
      ext/exif/tests/bug78256.phpt.
    - CVE-2019-11042

 -- <email address hidden> (Leonidas S. Barbosa) Mon, 12 Aug 2019 16:34:28 -0300

Source diff to previous version
CVE-2019-11041 When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x belo
CVE-2019-11042 When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x belo

Version: 7.2.19-0ubuntu0.18.04.1 2019-06-05 18:07:31 UTC

  php7.2 (7.2.19-0ubuntu0.18.04.1) bionic-security; urgency=medium

  * Updated to 7.2.19 to fix multiple security issues.
    - CVE-2019-11036
    - CVE-2019-11039
    - CVE-2019-11040
  * Refreshed patches:
    - debian/patches/0039-hack-phpdbg-to-explicitly-link-with-libedit.patch

 -- Marc Deslauriers <email address hidden> Tue, 04 Jun 2019 10:48:12 -0400

CVE-2019-11036 When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.29, 7.2.x below 7.2.18 and 7.3.x below 7.3.5 can be caused to read past
CVE-2019-11039 Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to integer overflow
CVE-2019-11040 heap-buffer-overflow on php_jpg_get16



About   -   Send Feedback to @ubuntu_updates