PHP packages within CentOS 6 Extended Lifecycle Support have been scheduled for gradual rollout

Nov 19, 2020 8:11:12 PM / by Inessa Atmachian

 

Extended-CentOS

We are happy to announce that a new updated PHP package within CentOS 6 extended lifecycle support has been scheduled for gradual rollout from our production repository.

Rollout slot: 1

Rolled out to: 1%

ETA for 100% rollout: December, 3

Errata: https://errata.cloudlinux.com/CLSA-2020-1605798462.html.


php-5.3.3-51.el6.cloudlinux
Changelog
  • Fix bug #69720: Null pointer dereference in phar_get_fp_offset()
  • Fix bug #70728: Type Confusion Vulnerability in PHP_to_XMLRPC_worker()
  • Fix bug #70661: Use After Free Vulnerability in WDDX Packet Deserialization
  • Fix bug #70741: Session WDDX Packet Deserialization Type Confusion Vulnerability
  • Fix bug #71459: Integer overflow in iptcembed()
  • Fix bug #71039: exec functions ignore length but look for NULL termination
  • Fix bug #71354: Heap corruption in tar/zip/phar parser.
  • Fix bug #71391: NULL Pointer Dereference in phar_tar_setupmetadata()
  • Fix bug #71323: Output of stream_get_meta_data can be falsified by its input
  • Fix bug #71498: Out-of-Bound Read in phar_parse_zipfile()
  • Fix bug #71587: Use-After-Free / Double-Free in WDDX Deserialize
  • Fix bug #71860: Invalid memory write in phar on filename with \0 in name
  • Fix bug #71798: Integer Overflow in php_raw_url_encode
  • Fix bug #72837: integer overflow in bzdecompress caused heap corruption
  • Fix bug #72681: PHP Session Data Injection Vulnerability
  • Fix bug #72807: integer overflow in curl_escape caused heap corruption
  • Fix bug #72838: Integer overflow lead to heap corruption in sql_regcase
  • Fix bug #72697: select_colors write out-of-bounds
  • Fix bug #72730: imagegammacorrect allows arbitrary write access
  • Fix bug #72836: integer overflow in base64_decode caused heap corruption
  • Fix bug #72848: integer overflow in quoted_printable_encode caused heap corruption
  • Fix bug #72849: integer overflow in urlencode caused heap corruption
  • Fix bug #72850: integer overflow in php_uuencode caused heap corruption
  • Fix bug #72771: ftps:// wrapper is vulnerable to protocol downgrade attack
  • Fix bug #72749: wddx_deserialize allows illegal memory access
  • Fix bug #72750: wddx_deserialize null dereference
  • Fix bug #72790: wddx_deserialize null dereference with invalid xml
  • Fix bug #72799: wddx_deserialize null dereference in php_wddx_pop_element
  • Fix bug #73189: Memcpy negative size parameter php_resolve_path
  • Fix bug #73150: missing NULL check in dom_document_save_html
  • Fix bug #73284: heap overflow in php_ereg_replace function
  • Fix bug #73218: stack-buffer-overflow through "ResourceBundle" methods
  • Fix bug #73208: integer overflow in imap_8bit caused heap corruption
  • Fix bug #73082: string length overflow in mb_encode_* function
  • Fix bug #73174: heap overflow in php_pcre_replace_impl
  • Fix bug #73276: crash in openssl_random_pseudo_bytes function
  • Fix bug #73275: crash in openssl_encrypt function
  • Fix bug #73017: memory corruption in wordwrap function
  • Fix bug #73240: Write out of bounds at number_format
  • Fix bug #73073: CachingIterator null dereference when convert to string
  • Fix bug #73293: NULL pointer dereference in SimpleXMLElement::asXML()
  • Fix bug #73356: crash in bzcompress function
  • Fix bug #72696: imagefilltoborder stackoverflow on truecolor images
  • Fix bug #73418: Integer Overflow in "_php_imap_mail" leads Heap Overflow
  • Fix bug #73144: Use-after-free in ArrayObject Deserialization
  • Fix bug #73192: parse_url return wrong hostname
  • Fix bug #73331: NULL Pointer Dereference in WDDX Packet Deserialization with PDORow
  • Fix bug #73452: Segfault (Regression for #69152)
  • Fix bug #73631: Invalid read when wddx decodes empty boolean element
  • Fix bug #67587: Redirection loop on nginx with FPM
  • Fix bug #71465: PHAR doesn't know about litespeed
  • Fix bug #73737: FPE when parsing a tag format
  • Fix bug #73868: Fix DOS vulnerability in gdImageCreateFromGd2Ctx()
  • Fix bug #73869: Signed Integer Overflow gd_io.c
  • Fix bug #73773: Seg fault when loading hostile phar
  • Fix bug #70436: Use After Free Vulnerability in unserialize()
  • Fix bug #74603: PHP INI Parsing Stack Buffer Overflow Vulnerability
  • Fix bug #72535: arcfour encryption stream filter crashes php
  • Fix bug #72434: ZipArchive class Use After Free Vulnerability in PHP's
  • GC algorithm and unseria
  • Fix bug #72455: Heap Overflow due to integer overflows
  • Fix bug #74782: Reflected XSS in .phar 404 page
  • Fix bug #71335: Type Confusion in WDDX Packet Deserialization
  • Fix bug #76130: Heap Buffer Overflow (READ: 1786) in exif_iif_add_value
  • Fix bug #76249: stream filter convert.iconv leads to infinite loop on invalid sequence
  • Fix bug #76248: Malicious LDAP-Server Response causes Crash
  • Fix bug #76129: fix for CVE-2018-5712 may not be complete
  • Fix bug #75981: stack-buffer-overflow while parsing HTTP response
  • Fix bug #74385: Locale::parseLocale() broken with some arguments
  • Fix bug #76335: "link(): Bad file descriptor" with non-ASCII path
  • Fix bug #76383: array_map on $GLOBALS returns IS_INDIRECT
  • Fix bug #73342: Vulnerability in php-fpm by changing stdin to non-blocking
  • Fix bug #76505: array_merge_recursive() is duplicating sub-array keys
  • Fix bug #76532: Integer overflow and excessive memory usage in mb_strimwidth
  • Fix bug #76548: pg_fetch_result did not fetch the next row
  • Fix bug #76488: Memory leak when fetching a BLOB field
  • Fix bug #76665: SQLite3Stmt::bindValue() with SQLITE3_FLOAT doesn't juggle
  • Fix bug #75402: Possible Memory Leak using PDO::CURSOR_SCROLL option
  • Fix bug #76517: --with-gettext= causes configure to misjudges there is no getcwd
  • Fix bug #72443: Installing shared extensions: cp: cannot stat 'modules/*': No such file or dire
  • Fix bug #68175: RegexIterator pregFlags are NULL instead of 0
  • Fix bug #55146: iconv_mime_decode_headers() skips some headers
  • Fix bug #63839: iconv_mime_decode_headers function is skipping headers
  • Fix bug #60494: iconv_mime_decode does ignore special characters
  • Fix bug #68180: iconv_mime_decode can return extra characters in a header
  • Fix bug #73457: Wrong error message when fopen FTP wrapped fails to open data connection
  • Fix bug #74454: Wrong exception being thrown when using ReflectionMethod
  • Fix bug #74764: Bindto IPv6 works with file_get_contents but fails with stream_socket_client
  • Fix bug #75273: php_zlib_inflate_filter() may not update bytes_consumed
  • Fix bug #75696: posix_getgrnam fails to print details of group
  • Fix bug #76480: Use curl_multi_wait() so that timeouts are respected
  • Fix bug #76800: foreach inconsistent if array modified during loop
  • Fix bug #76886: Can't build xmlrpc with expat
  • Fix bug #76901: method_exists on SPL iterator passthrough method corrupts memory
  • Fix bug #77242: heap out of bounds read in xmlrpc_decode()
  • Fix bug #77247: heap buffer overflow in phar_detect_phar_fname_ext
  • Fix bug #77270: imagecolormatch Out Of Bounds Write on Heap
  • Fix bug #77370: Buffer overflow on mb regex functions - fetch_token
  • Fix bug #77380: Global out of bounds read in xmlrpc base64 code
  • Fix bug #77630: rename() across the device may allow unwanted access during processing
  • Fix bug #77494: Disabling class causes segfault on member access
  • Fix bug #77431: openFile() silently truncates after a null byte
  • Fix bug #51068: DirectoryIterator glob:// don't support current path relative queries
  • Fix bug #77396: Null Pointer Dereference in phar_create_or_parse_filename
  • Fix bug #77540: Invalid Read on exif_process_SOFn
  • Fix bug #77390: feof might hang on TLS streams in case of fragmented TLS records
  • Fix bug #77586: phar_tar_writeheaders_int() buffer overflow
  • Fix bug #77546: iptcembed broken function
  • Fix bug #77563: Uninitialized read in exif_process_IFD_in_MAKERNOTE
  • Fix bug #76557: heap-buffer-overflow (READ of size 48) while reading exif data
  • Fix bug #77024: SplFileObject::__toString() may return array
  • Fix bug #77945: Segmentation fault when constructing SoapClient with WSDL_CACHE_BOTH
  • Fix bug #77697: Crash on Big_Endian platform
  • Fix bug #77943: imageantialias($image, false); does not work
  • Fix bug #77944: Wrong meta pdo_type for bigint on LLP64
  • Fix bug #76717: var_export() does not create a parsable value for PHP_INT_MIN
  • Fix bug #77921: static.php.net doesn't work anymore
  • Fix bug #77934: php-fpm kill -USR2 not working
  • Fix bug #77700: Writing truecolor images as GIF ignores interlace flag
  • Fix bug #77765: FTP stream wrapper should set the directory as executable
  • Fix bug #50020: DateInterval:createDateFromString() silently fails
  • Fix bug #77742: bcpow() implementation related to gcc compiler optimization
  • Fix bug #77967: Bypassing open_basedir restrictions via file uris
  • Fix bug #77973: Uninitialized read in gdImageCreateFromXbm
  • Fix bug #77988: heap-buffer-overflow on php_jpg_get16
  • Fix bug #78192: SegFault when reuse statement after schema has changed
  • Fix bug #77124: FTP with SSL memory leak
  • Fix bug #78256: heap-buffer-overflow on exif_process_user_comment
  • Fix bug #78222: heap-buffer-overflow on exif_scan_thumbnail
  • Fix bug #77946: Bad cURL resources returned by curl_multi_info_read()
  • Fix bug #78333: Exif crash (bus error) due to wrong alignment and invalid cast
  • Fix bug #69100: Bus error from stream_copy_to_stream (file -> SSL stream) with invalid length
  • Fix bug #76342: file_get_contents waits twice specified timeout
  • Fix bug #76859: stream_get_line skips data if used with data-generating filter
  • Fix bug #78579: mb_decode_numericentity: args number inconsistency
  • Fix bug #78910: Heap-buffer-overflow READ in exif
  • Fix bug #78878: Buffer underflow in bc_shift_addsub
  • Fix bug #78793: Use-after-free in exif parsing under memory sanitizer
  • Fix bug #78863: DirectoryIterator class silently truncates after a null byte
  • Fix bug #79099: OOB read in php_strip_tags_ex
  • Fix bug #79082: Files added to tar with Phar::buildFromIterator have all-access permissions
  • Fix bug #79329: get_headers() silently truncates after a null byte
  • Fix bug #79282: Use-of-uninitialized-value in exif
  • Fix bug #61597: SimpleXMLElement doesn't include both @attributes and textContent in properties
  • Fix bug #74940: DateTimeZone loose comparison always true until properties are initialized.
  • Fix bug #79296: ZipArchive::open fails on empty file (libzip 1.6.0)
  • Fix bug #79330: shell_exec() silently truncates after a null byte
  • Fix bug #79364: When copy empty array, next key is unspecified.
  • Fix bug #79396: DateTime hour incorrect during DST jump forward using setTime
  • Fix bug #79410: system() swallows last chunk if it is exactly 4095 bytes without newline
  • Fix bug #79424: php_zip_glob uses gl_pathc after call to globfree
  • Fix bug #79465: OOB Read in urldecode() (CVE-2020-7067)
  • Fix bug #78221: DOMNode::normalize() doesn't remove empty text nodes
  • Fix bug #78875: Long filenames cause OOM and temp files are not cleaned (CVE-2019-11048)
  • Fix bug #78876: Long variables in multipart/form-data cause OOM and temp files are not cleaned (CVE-2019-11048)
  • Fix bug #79514: Memory leaks while including unexistent file
  • Fix bug #79528: Different object of the same xml between 7.4.5 and 7.4.4
  • Fix bug #62890: default_socket_timeout=-1 causes connection to timeout
  • Fix bug #70362: Can't copy() large 'data://' with open_basedir
  • Fix bug #73527: Invalid memory access in php_filter_strip
  • Fix bug #74267: segfault with streams and invalid data
  • Fix bug #79787: mb_strimwidth does not trim string
  • Fix bug #79877: getimagesize function silently truncates after a null byte
  • Fix bug #68447: grapheme_extract take an extra trailing character
  • Fix bug #68825: Inconsistent exception in DirectoryIterator::getLinkTarget()
  • Fix bug #74145: wddx parsing empty boolean tag leads to SIGSEGV (CVE-2017-11143)
  • Fix bug #74651: negative-size-param (-1) in memcpy in zif_openssl_seal() (CVE-2017-11144)
  • Fix bug #74435: Buffer over-read into uninitialized memory (CVE-2017-7890)
  • Fix bug #73093: Unserialize Exception object can lead to infinite loop (CVE-2016-7478)
  • Fix bug #72520: Stack-based buffer overflow vulnerability in php_stream_zip_opener (CVE-2016-6297)
  • Fix bug #73825: Heap out of bounds read on unserialize in finish_nested_data() (CVE-2016-10161)
  • Fix bug #60491: Session module is adoptive (CVE-2011-4718)
  • Fix bug #69253: ZIP Integer Overflow leads to writing past heap boundary (CVE-2015-2331)
  • Fix bug #69418: CVE-2006-7243 fix regressions in 5.4+ (CVE-2015-4025)
  • Fix bug #68598: pcntl_exec() should not allow null char (CVE-2015-4026)
  • Fix bug #69207: move_uploaded_file allows nulls in path (CVE-2015-2348)
  • Fix bug #69218: potential remote code execution with apache 2.4 apache2handler (CVE-2015-3330)
  • Fix bug #69719: Incorrect handling of paths with NULs, related to bug 69353 (CVE-2015-4598)
  • Fix bug #69353: Missing null byte checks for paths in various PHP extensions (CVE-2015-3411)
  • Fix bugs #70168, #70169, #70166, #70155: Use After Free Vulnerability in unserialize() with SplObjectStorage, SplDoublyLinkedList, SPLArrayObject, SPLArrayObject (CVE-2015-6831)
  • Fix bug #70019: Files extracted from archive may be placed outside of destination directory (CVE-2015-6833)
  • Fix bug #70388: SOAP serialize_function_call() type confusion / RCE (CVE-2015-6836)
  • Fix bug #69782: NULL pointer dereference (CVE-2015-6837, CVE-2015-6838)
  • Fix bug #70433: Uninitialized pointer in phar_make_dirstream when zip entry filename is "/" (CVE-2015-7804)
  • Fix bug #69923: Buffer overflow and stack smashing error in phar_fix_filepath (CVE-2015-5590)
  • Fix bug #71488: Stack overflow when decompressing tar archives (CVE-2016-2554)
  • Fix bug #72061: Out-of-bounds reads in zif_grapheme_stripos with negative offset (CVE-2016-4541, CVE-2016-4540)
  • Fix bug #72094: Out of bounds heap read access in exif header processing (CVE-2016-4542)
  • Fix bug #72093: bcpowmod accepts negative scale and corrupts _one_ definition (CVE-2016-4537)
  • Fix bug #71331: Uninitialized pointer in phar_make_dirstream() (CVE-2016-4343)
  • Fix bug #72241: get_icu_value_internal out-of-bounds read (CVE-2016-5093)
  • Fix bug #72135: Integer Overflow in php_html_entities() (CVE-2016-5094)
  • Fix bug #72114: Integer underflow / arbitrary null write in fread/gzread (CVE-2016-5096)
  • Fix bug #72339: Integer Overflow in _gd2GetHeader() resulting in heap overflow (CVE-2016-5766)
  • Fix bug #72340: Double Free Courruption in wddx_deserialize (CVE-2016-5772)
  • Fix bug #72613: Inadequate error handling in bzread() (CVE-2016-5399)
  • Fix bug #70480: php_url_parse_ex() buffer overflow read (CVE-2016-6288)
  • Fix bug #72513: Stack-based buffer overflow vulnerability in virtual_file_ex (CVE-2016-6289)
  • Fix bug #72562: Use After Free in unserialize() with Unexpected Session Deserialization (CVE-2016-6290)
  • Fix bug #72603: Out of bound read in exif_process_IFD_in_MAKERNOTE (CVE-2016-6291)
  • Fix bug #72533: locale_accept_from_http out-of-bounds access (CVE-2016-6294)
  • Fix bug #69975: PHP segfaults when accessing nvarchar(max) defined columns (CVE-2015-8879)
  • Fix bug #72606: heap-buffer-overflow (write) simplestring_addn simplestring.c (CVE-2016-6296)
  • Fix bug #72293: Heap overflow in mysqlnd related to BIT fields (CVE-2016-7412)
  • Fix bug #72860: wddx_deserialize use-after-free (CVE-2016-7413)
  • Fix bug #72928: Out of bound when verify signature of zip phar in phar_parse_zipfile (CVE-2016-7414)
  • Fix bug #73007: SEH buffer overflow msgfmt_format_message (CVE-2016-7416)
  • Fix bug #73029: Missing type check when unserializing SplArray (CVE-2016-7417)
  • Fix bug #73065: Out-Of-Bounds Read in php_wddx_push_element of wddx.c (CVE-2016-7418)
  • Fix bug #73280: Stack Buffer Overflow in GD dynamicGetbuf (CVE-2016-8670)
  • Fix bug #73764: Crash while loading hostile phar archive (CVE-2016-10159)
  • Fix bug #73768: Memory corruption when loading hostile phar (CVE-2016-10160)
  • Fix bug #72627: Memory Leakage In exif_process_IFD_in_TIFF (CVE-2016-7128)
  • Fix bug #70350: ZipArchive::extractTo allows for directory traversal when creating directories (CVE-2014-9767)
  • Fix bug #70081: SoapClient info leak / null pointer dereference via multiple type confusions (CVE-2015-8835)
  • Fix bug #70121: unserialize() could lead to unexpected methods execution / NULL pointer deref (CVE-2015-8876)
  • Fix bug #71906: AddressSanitizer: negative-size-param (-1) in mbfl_strcut (CVE-2016-4073)
  • Fix bug #70014: openssl_random_pseudo_bytes() is not cryptographically secure (CVE-2015-8867)
  • Fix bug #77371: heap buffer overflow in mb regex functions
  • compile_string_node (CVE-2019-9023)
  • Fix bug #77381: heap buffer overflow in multibyte match_at (CVE-2019-9023)
  • Fix bug #77382: heap buffer overflow due to incorrect length in expand_case_fold_string (CVE-2019-9023)
  • Fix bug #77385: buffer overflow in fetch_token (CVE-2019-9023)
  • Fix bug #77394: Buffer overflow in multibyte case folding - unicode (CVE-2019-9023)
  • Fix vulnerabilities with oniguruma: CVE-2017-9226, CVE-2017-9224, CVE-2017-9227, CVE-2017-9228, CVE-2019-13224
  • Fix general vulneravilities: CVE-2014-9653, CVE-2015-0235, CVE-2015-3152, CVE-2016-3074
  • Fix bug #79699: PHP parses encoded cookie names so malicious `__Host-` cookies can be sent (CVE-2020-7070)
  • Fix bug #80007: Potential type confusion in unixtojd() parameter parsing

This update includes 227 vulnerability fixes.

Update command

yum update php-*

Immediate update (via bypass)

yum update *-els-release
yum update php-* --enablerepo=ELS6-rollout-1-bypass

Topics: Technical Blog, Gradual rollout, ELS, Extended Lifecycle Support, CentOS 6, CentOS 6 ELS

Inessa Atmachian

Written by Inessa Atmachian

Inessa Atmachian is a Technical Writer. She is responsible for developing technical product documentation for CloudLinux OS, KernelCare, and Imunify360 products. She provides customers with release notes and information on product updates.

    Subscribe to Email Updates

    Lists by Topic

    see all

    Posts by Topic

    See all

    Recent Posts