Advisories ยป MGASA-2020-0387

Updated php packages fix a security vulnerability

Publication date: 16 Oct 2020
Type: security
Affected Mageia releases : 7
CVE: CVE-2020-7070


In PHP versions 7.2.x when PHP is processing incoming HTTP cookie values, the
cookie names are url-decoded. This may lead to cookies with prefixes
like __Host confused with cookies that decode to such prefix, thus leading to
an attacker being able to forge cookie which is supposed to be secure. 

These updated packages also fix several bugs:
- realpath() erroneously resolves link to link
- Stack use-after-scope in define()
- getimagesize function silently truncates after a null byte
- Memleak when coercing integers to string via variadic argument

Fileinfo: finfo_file crash (FILEINFO_MIME)

LDAP: Fixed memory leaks.

OPCache: opcache.file_cache causes SIGSEGV when custom opcode handlers changed.

Standard: Memory leak in str_replace of empty string