Advisories » MGASA-2019-0253

Updated php packages fix security vulnerabilities

Publication date: 06 Sep 2019
Modification date: 06 Sep 2019
Type: security
Affected Mageia releases : 7
CVE: CVE-2019-13224 , CVE-2019-13225

Description

Updated php packages fix security vulnerabilities:

A use-after-free in onig_new_deluxe() in regext.c in the bundled
Oniguruma allows attackers to potentially cause information disclosure,
denial of service, or possibly code execution by providing a crafted
regular expression (CVE-2019-13224).

A NULL Pointer Dereference in match_at() in regexec.c in the bundled
Oniguruma allows attackers to potentially cause denial of service by
providing a crafted regular expression (CVE-2019-13225).

For other fixes in this update, see the referenced changelog.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=25380
• https://www.php.net/ChangeLog-7.php#PHP_7_3_9
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13224
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13225

SRPMS

7/core

• php-7.3.9-1.mga7