Package "php7.4"

Name: php7.4


server-side, HTML-embedded scripting language (metapackage)

Latest version: 7.4.3-4ubuntu2.13
Release: focal (20.04)
Level: updates
Repository: main
Homepage: http://www.php.net/


Download "php7.4"

Other versions of "php7.4" in Focal

Repository Area Version
base universe 7.4.3-4ubuntu1
base main 7.4.3-4ubuntu1
security main 7.4.3-4ubuntu2.12
security universe 7.4.3-4ubuntu2.12
updates universe 7.4.3-4ubuntu2.13

Packages in group

Deleted packages are displayed in grey.


Version: 7.4.3-4ubuntu2.13 2022-09-05 11:07:11 UTC

  php7.4 (7.4.3-4ubuntu2.13) focal; urgency=medium

  * d/p/0047-Update-gcc-func-attr-macro.patch: fix detection of unknown gcc
    function attributes. (LP: #1882279)

 -- Athos Ribeiro <email address hidden> Wed, 17 Aug 2022 10:29:56 -0300

Source diff to previous version
1882279 PHP built from source performs much better than the Ubuntu packaged version

Version: 7.4.3-4ubuntu2.12 2022-06-15 14:06:24 UTC

  php7.4 (7.4.3-4ubuntu2.12) focal-security; urgency=medium

  * SECURITY UPDATE: RCE via Uninitialized array in pg_query_params()
    - debian/patches/CVE-2022-31625.patch: don't free parameters which
      haven't initialized yet in ext/pgsql/pgsql.c,
    - CVE-2022-31625
  * SECURITY UPDATE: RCE via mysqlnd/pdo password buffer overflow
    - debian/patches/CVE-20022-31626.patch: properly calculate size in
    - CVE-2022-31626

 -- Marc Deslauriers <email address hidden> Mon, 13 Jun 2022 09:43:30 -0400

Source diff to previous version

Version: 7.4.3-4ubuntu2.11 2022-06-14 23:06:18 UTC

  php7.4 (7.4.3-4ubuntu2.11) focal; urgency=medium

  * d/p/0048-Fix-bug-79603-by-retrying-on-RTD-key-collision.patch: retry on RTD
    key collision. (LP: #1968228)

 -- Athos Ribeiro <email address hidden> Thu, 05 May 2022 21:16:42 -0300

Source diff to previous version
1968228 RTD collision with opcache

Version: 7.4.3-4ubuntu2.10 2022-03-03 17:06:23 UTC

  php7.4 (7.4.3-4ubuntu2.10) focal-security; urgency=medium

  * SECURITY UPDATE: DoS in zend_string_extend function
    - debian/patches/CVE-2017-8923.patch: fix integer Overflow when
      concatenating strings in Zend/zend_vm_def.h, Zend/zend_vm_execute.h.
    - CVE-2017-8923
  * SECURITY UPDATE: out of bounds access in php_pcre_replace_impl
    - debian/patches/CVE-2017-9118-pre1.patch: fix heap buffer overflow via
      str_repeat in Zend/zend_operators.c, Zend/zend_string.h.
    - debian/patches/CVE-2017-9118-pre2.patch: fix memory corruption in
      preg_replace/preg_replace_callback in ext/pcre/php_pcre.c,
    - debian/patches/CVE-2017-9118-pre3.patch: fix too much memory is
      allocated for preg_replace() in ext/pcre/php_pcre.c,
    - debian/patches/CVE-2017-9118.patch: fix out of bounds in
      php_pcre_replace_impl in Zend/zend_string.h, ext/pcre/php_pcre.c.
    - CVE-2017-9118
  * SECURITY UPDATE: DoS via memory consumption in i_zval_ptr_dtor
    - debian/patches/CVE-2017-9119.patch: handle memory limit error during
      string reallocation correctly in Zend/zend_string.h.
    - CVE-2017-9119
  * SECURITY UPDATE: DoS via integer overflow in mysqli_real_escape_string
    - debian/patches/CVE-2017-9120.patch: fix overflow in
    - CVE-2017-9120
  * SECURITY UPDATE: filename truncation issue in XML parsing functions
    - debian/patches/CVE-2021-21707.patch: special character is breaking
      the path in xml function in ext/dom/domimplementation.c,
      ext/dom/tests/bug79971_2.phpt, ext/libxml/libxml.c,
    - CVE-2021-21707

 -- Marc Deslauriers <email address hidden> Wed, 02 Mar 2022 10:36:52 -0500

Source diff to previous version
CVE-2017-8923 The zend_string_extend function in Zend/zend_string.h in PHP through 7.1.5 does not prevent changes to string objects that result in a negative lengt
CVE-2017-9118 PHP 7.1.5 has an Out of bounds access in php_pcre_replace_impl via a crafted preg_replace call.
CVE-2017-9119 The i_zval_ptr_dtor function in Zend/zend_variables.h in PHP 7.1.5 allows attackers to cause a denial of service (memory consumption and application
CVE-2017-9120 PHP 7.x through 7.1.5 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other
CVE-2021-21707 In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexml_load_file(), URL-decode

Version: 7.4.3-4ubuntu2.9 2022-02-28 14:07:13 UTC

  php7.4 (7.4.3-4ubuntu2.9) focal-security; urgency=medium

  * SECURITY UPDATE: Use after free
    - debian/patches/CVE-2021-21708.patch: change the call to
      zval_ptr_dtor in ext/filter/logical_filters.c to be done
      after a validation is succeeded, and add a test for this
      case in ext/filter/tests/bug81708.phpt
    - CVE-2021-21708

 -- Rodrigo Figueiredo Zaiden <email address hidden> Thu, 24 Feb 2022 11:55:48 -0300

About   -   Send Feedback to @ubuntu_updates