Univention Bugzilla – Bug 52193
php7.0: Multiple issues (4.4)
Last modified: 2020-10-14 15:28:43 CEST
New Debian php7.0 7.0.33-0+deb9u10 fixes: This update addresses the following issue: * PHP parses encoded cookie names so malicious `__Host-` cookies can be sent (CVE-2020-7070)
--- mirror/ftp/4.4/unmaintained/4.4-6/source/php7.0_7.0.33-0+deb9u9.dsc +++ apt/ucs_4.4-0-errata4.4-6/source/php7.0_7.0.33-0+deb9u10.dsc @@ -1,3 +1,9 @@ +7.0.33-0+deb9u10 [Tue, 06 Oct 2020 13:08:28 -0400] Roberto C. Sánchez <roberto@debian.org>: + + * Non-maintainer upload by the LTS Team. + * CVE-2020-7070: Prevent malicious users from forging secure cookie prefix + names. + 7.0.33-0+deb9u9 [Mon, 24 Aug 2020 12:14:22 +0100] Chris Lamb <lamby@debian.org>: * CVE-2020-7068: Prevent a use-after-free vulnerability when parsing PHAR <http://10.200.17.11/4.4-6/#28549591277657707>
puiparts failed
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.4-6] 31cd8cc48b Bug #52193: php7.0 7.0.33-0+deb9u10 doc/errata/staging/php7.0.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+)
<https://errata.software-univention.de/#/?erratum=4.4x768>