MiracleLinux 7 : rh-php73-php-7.3.20-1.el7 (AXSA:2020-958:01)

The remote MiracleLinux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2020-958:01 advisory. php: DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte CVE-2019-11045 php: Information...

DEBIAN-CVE-2020-7065

In PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using mbstrtolower function with UTF-32LE encoding, certain invalid strings could cause PHP to overwrite stack-allocated buffer. This could lead to memory corruption, crashes and potentially code execution...

PT-2020-2040 · Php +7 · Php +7

Name of the Vulnerable Software and Affected Versions: PHP versions 7.3.x below 7.3.16 PHP versions 7.4.x below 7.4.4 Description: The issue is related to the use of the mb strtolower function with UTF-32LE encoding in PHP. Certain invalid strings could cause PHP to overwrite the stack-allocated...

Internet Bug Bounty: Heap overflow in utf32be_mbc_to_code

https://bugs.php.net/bug.php?id=77418 Buffer overflow in mbctocode functions for UTF32BE, UTF32LE, UTF16BE, and UTF16LE due to incorrect length assumptions of a buffer. Provided a patch that was adapted to check the length of the buffer prior to using it. Impact Memory leakage and/or corruption...