TTCSIRT-173.101618: TT-CSIRT Advisory – PHP Security Updates

PHP has released a security update stating that the following vulnerabilities have been discovered in PHP ver 7.2.11 & 7.1.23:

a) Bug #66828 – (iconv_mime_encode Q-encoding longer than it should be).

b) Bug #73457 – (Wrong error message when fopen FTP wrapped fails to open data connection).

c) Bug #74454 – (Wrong exception being thrown when using ReflectionMethod).

d) Bug #74764 – (Bindto IPv6 works with file_get_contents but fails with stream_socket_client).

e) Bug #75273 – (php_zlib_inflate_filter() may not update bytes_consumed).

f) Bug #75533 – (array_reduce is slow when $carry is large array).

g) Bug #75696 – (posix_getgrnam fails to print details of group).

h) Bug #76480 – (Use curl_multi_wait() so that timeouts are respected).

i) Bug #76832 – (ZendOPcache.MemoryBase periodically deleted by the OS).

j) Bug #76846 – (Segfault in shutdown function after memory limit error).

k) Bug #76901 – (method_exists on SPL iterator passthrough method corrupts memory).

Successfully exploitation the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the affected application.