UbuntuUpdates.org

Package "php7.3"

Name: php7.3

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • HTML-embedded scripting language (Embedded SAPI library)
  • Bcmath module for PHP
  • bzip2 module for PHP
  • DBA module for PHP

Latest version: 7.3.11-0ubuntu0.19.10.3
Release: eoan (19.10)
Level: security
Repository: universe

Links

Save this URL for the latest version of "php7.3": https://www.ubuntuupdates.org/php7.3



Other versions of "php7.3" in Eoan

Repository Area Version
base main 7.3.8-1
security main 7.3.11-0ubuntu0.19.10.3
updates universe 7.3.11-0ubuntu0.19.10.3
updates main 7.3.11-0ubuntu0.19.10.3

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 7.3.11-0ubuntu0.19.10.3 2020-02-17 21:06:44 UTC

  php7.3 (7.3.11-0ubuntu0.19.10.3) eoan-security; urgency=medium

  * SECURITY UPDATE: Out of bounds read, buffer overflow and
    heap use-after-free
    - debian/patches/CVE-2020-7059-and-CVE-2020-7060.patch:
      fix OOB read in php_strip_tags_ex in ext/standard/string.c
      and added test ext/standard/tests/file/bug79099.phpt,
      fix adding a check function
      is_in_cp950_pua in ext/mbstring/libmbfl/filters/mbfilter_big5.c
      and added test ext/mbstring/tests/bug79037.phpt,
      fix use-after-free in session_create_id() and
      added tests ext/session/tests/bug79091.phpt.
    - CVE-2020-7059
    - CVE-2020-7060

 -- <email address hidden> (Leonidas S. Barbosa) Wed, 12 Feb 2020 12:22:33 -0300

Source diff to previous version
CVE-2020-7059 When using fgetss() function to read data with stripping tags, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is pos
CVE-2020-7060 When using certain mbstring functions to convert multibyte encodings, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it

Version: 7.3.11-0ubuntu0.19.10.2 2020-01-15 14:07:16 UTC

  php7.3 (7.3.11-0ubuntu0.19.10.2) eoan-security; urgency=medium

  * SECURITY UPDATE: silently truncates
    a class after a null byte
    - debian/patches/CVE-2019-11045.patch: not accept
      arbitrary strings in ext/spl/spl_directory.c,
      ext/spl/tests/bug78863.phpt.
    - CVE-2019-11045
  * SECURITY UPDATE: Buffer underflow
    - debian/patches/CVE-2019-11046.patch: not rely on `isdigit()`
      to detect digits in ext/bcmath/libbcmath/src/str2num.c,
      ext/bcmath/tests/bug78878.phpt.
    - CVE-2019-11046
  * SECURITY UPDATE: Heap-buffer-overflow
    - debian/patches/CVE-2019-11047.patch: fix in ext/exif/exif.c,
      ext/exif/tests/bug78910.phpt.
    - CVE-2019-11047
  * SECURITY UPDATE: Use-after-free
    - debian/patches/CVE-2019-11050.patch: fix in
      ext/exif/exif.c, ext/exif/tests/bug78793.phpt.
    - CVE-2019-11050
  * Fixing tests bug54291 and bug78878
    - debian/patches/Fixing-test-bug54291.patch: fix in
      ext/spl/tests/bug54291.phpt.
    - debian/patches/Fixing-test-78878.patch: fix in
      ext/bcmath/tests/bug78878.phpt

 -- <email address hidden> (Leonidas S. Barbosa) Tue, 14 Jan 2020 12:33:46 -0300

Source diff to previous version
CVE-2019-11045 In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them
CVE-2019-11046 In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP bcmath extension functions on some systems, including Windows, can be tricked i
CVE-2019-11047 When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x belo
CVE-2019-11050 When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x belo

Version: 7.3.11-0ubuntu0.19.10.1 2019-10-28 19:07:12 UTC

  php7.3 (7.3.11-0ubuntu0.19.10.1) eoan-security; urgency=medium

  * SECURITY UPDATE: updated to 7.3.11 to fix security issue
    - CVE-2019-11043
  * Refreshed patches.
  * debian/rules: temporarily disable setting up MySQL for the tests as the
    setup script isn't compatible with MySQL 8.0 and the MySQL tests didn't
    seem to run anyway.

 -- Marc Deslauriers <email address hidden> Thu, 24 Oct 2019 07:38:49 -0400




About   -   Send Feedback to @ubuntu_updates