Mageia Linux Local Security Checks : Mageia: Security Advisory (MGASA-2020-0387)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.1.10.2020.0387

Categoría: Mageia Linux Local Security Checks

Título: Mageia: Security Advisory (MGASA-2020-0387)

Resumen: The remote host is missing an update for the 'php' package(s) announced via the MGASA-2020-0387 advisory.

Descripción: Summary:
The remote host is missing an update for the 'php' package(s) announced via the MGASA-2020-0387 advisory.

Vulnerability Insight:
In PHP versions 7.2.x when PHP is processing incoming HTTP cookie values, the
cookie names are url-decoded. This may lead to cookies with prefixes
like __Host confused with cookies that decode to such prefix, thus leading to
an attacker being able to forge cookie which is supposed to be secure.
(CVE-2020-7070)

These updated packages also fix several bugs:
Core:
- realpath() erroneously resolves link to link
- Stack use-after-scope in define()
- getimagesize function silently truncates after a null byte
- Memleak when coercing integers to string via variadic argument

Fileinfo: finfo_file crash (FILEINFO_MIME)

LDAP: Fixed memory leaks.

OPCache: opcache.file_cache causes SIGSEGV when custom opcode handlers changed.

Standard: Memory leak in str_replace of empty string

Affected Software/OS:
'php' package(s) on Mageia 7.

Solution:
Please install the updated package(s).

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:P/A:N

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2020-7070
https://security.netapp.com/advisory/ntap-20201016-0001/
https://www.tenable.com/security/tns-2021-14
Debian Security Information: DSA-4856 (Google Search)
https://www.debian.org/security/2021/dsa-4856
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RRU57N3OSYZPOMFWPRDNVH7EMYOTSZ66/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7EVDN7D3IB4EAI4D3ZOM2OJKQ5SD7K4E/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P2J3ZZDHCSX65T5QWV4AHBN7MOJXBEKG/
https://security.gentoo.org/glsa/202012-16
http://cve.circl.lu/cve/CVE-2020-8184
https://bugs.php.net/bug.php?id=79699
https://hackerone.com/reports/895727
https://www.oracle.com/security-alerts/cpuoct2021.html
https://lists.debian.org/debian-lts-announce/2020/10/msg00008.html
SuSE Security Announcement: openSUSE-SU-2020:1703 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00045.html
SuSE Security Announcement: openSUSE-SU-2020:1767 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00067.html
https://usn.ubuntu.com/4583-1/

Copyright Copyright (C) 2022 Greenbone AG

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.1.10.2020.0387
Categoría:	Mageia Linux Local Security Checks
Título:	Mageia: Security Advisory (MGASA-2020-0387)
Resumen:	The remote host is missing an update for the 'php' package(s) announced via the MGASA-2020-0387 advisory.
Descripción:	Summary: The remote host is missing an update for the 'php' package(s) announced via the MGASA-2020-0387 advisory. Vulnerability Insight: In PHP versions 7.2.x when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. (CVE-2020-7070) These updated packages also fix several bugs: Core: - realpath() erroneously resolves link to link - Stack use-after-scope in define() - getimagesize function silently truncates after a null byte - Memleak when coercing integers to string via variadic argument Fileinfo: finfo_file crash (FILEINFO_MIME) LDAP: Fixed memory leaks. OPCache: opcache.file_cache causes SIGSEGV when custom opcode handlers changed. Standard: Memory leak in str_replace of empty string Affected Software/OS: 'php' package(s) on Mageia 7. Solution: Please install the updated package(s). CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2020-7070 https://security.netapp.com/advisory/ntap-20201016-0001/ https://www.tenable.com/security/tns-2021-14 Debian Security Information: DSA-4856 (Google Search) https://www.debian.org/security/2021/dsa-4856 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RRU57N3OSYZPOMFWPRDNVH7EMYOTSZ66/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7EVDN7D3IB4EAI4D3ZOM2OJKQ5SD7K4E/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P2J3ZZDHCSX65T5QWV4AHBN7MOJXBEKG/ https://security.gentoo.org/glsa/202012-16 http://cve.circl.lu/cve/CVE-2020-8184 https://bugs.php.net/bug.php?id=79699 https://hackerone.com/reports/895727 https://www.oracle.com/security-alerts/cpuoct2021.html https://lists.debian.org/debian-lts-announce/2020/10/msg00008.html SuSE Security Announcement: openSUSE-SU-2020:1703 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00045.html SuSE Security Announcement: openSUSE-SU-2020:1767 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00067.html https://usn.ubuntu.com/4583-1/
Copyright	Copyright (C) 2022 Greenbone AG