RHSA-2019:3299: Critical: rh-php72-php security update
PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.<br>The following packages have been upgraded to a later upstream version: rh-php72-php (7.2.24). (BZ#1766603)<br>Security Fix(es):<br><li> php: underflow in envpathinfo in fpmmain.c (CVE-2019-11043)</li> <li> gd: Unsigned integer underflow gdContributionsAlloc() (CVE-2016-10166)</li> <li> gd: Heap based buffer overflow in gdImageColorMatch() in gdcolormatch.c (CVE-2019-6977)</li> <li> php: Invalid memory access in function xmlrpcdecode() (CVE-2019-9020)</li> <li> php: File rename across filesystems may allow unwanted access during processing (CVE-2019-9637)</li> <li> php: Uninitialized read in exifprocessIFDinMAKERNOTE (CVE-2019-9638)</li> <li> php: Uninitialized read in exifprocessIFDinMAKERNOTE (CVE-2019-9639)</li> <li> php: Invalid read in exifprocessSOFn() (CVE-2019-9640)</li> <li> php: Out-of-bounds read due to integer overflow in iconvmimedecodeheaders() (CVE-2019-11039)</li> <li> php: Buffer over-read in exifreaddata() (CVE-2019-11040)</li> <li> php: Buffer over-read in PHAR reading functions (CVE-2018-20783)</li> <li> php: Heap-based buffer over-read in PHAR reading functions (CVE-2019-9021)</li> <li> php: memcpy with negative length via crafted DNS response (CVE-2019-9022)</li> <li> php: Heap-based buffer over-read in mbstring regular expression functions (CVE-2019-9023)</li> <li> php: Out-of-bounds read in base64decodexmlrpc in ext/xmlrpc/libxmlrpc/base64.c (CVE-2019-9024)</li> <li> php: Heap buffer overflow in function exifprocessIFDTAG() (CVE-2019-11034)</li> <li> php: Heap buffer overflow in function exifiifaddvalue() (CVE-2019-11035)</li> <li> php: Buffer over-read in exifprocessIFDTAG() leading to information disclosure (CVE-2019-11036)</li> <li> gd: Information disclosure in gdImageCreateFromXbm() (CVE-2019-11038)</li> <li> php: heap buffer over-read in exifscanthumbnail() (CVE-2019-11041)</li> <li> php: heap buffer over-read in exifprocessusercomment() (CVE-2019-11042)</li> For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of RHSA-2019:3299?
The severity of RHSA-2019:3299 is classified as important.
How do I fix RHSA-2019:3299?
To fix RHSA-2019:3299, upgrade to rh-php72-php version 7.2.24-1.el7 or later.
What vulnerabilities does RHSA-2019:3299 address?
RHSA-2019:3299 addresses a vulnerability related to an underflow in env_path_info in fpm_main.c leading to potential information disclosure.
Which packages are affected by RHSA-2019:3299?
The affected packages in RHSA-2019:3299 include various rh-php72-php related packages like php, php-cli, php-fpm, and more, all needing the specified upgrade.
When was RHSA-2019:3299 released?
RHSA-2019:3299 was released on December 16, 2019.