TTCSIRT-173.101618: TT-CSIRT Advisory – PHP Security Updates

TTCSIRT-173.101618: TT-CSIRT Advisory – PHP Security Updates

PHP has released a security update stating that the following vulnerabilities have been discovered in PHP ver 7.2.11 & 7.1.23:

a) Bug #66828 – (iconv_mime_encode Q-encoding longer than it should be).

b) Bug #73457 – (Wrong error message when fopen FTP wrapped fails to open data connection).

c) Bug #74454 – (Wrong exception being thrown when using ReflectionMethod).

d) Bug #74764 – (Bindto IPv6 works with file_get_contents but fails with stream_socket_client).

e) Bug #75273 – (php_zlib_inflate_filter() may not update bytes_consumed).

f) Bug #75533 – (array_reduce is slow when $carry is large array).

g) Bug #75696 – (posix_getgrnam fails to print details of group).

h) Bug #76480 – (Use curl_multi_wait() so that timeouts are respected).

i) Bug #76832 – (ZendOPcache.MemoryBase periodically deleted by the OS).

j) Bug #76846 – (Segfault in shutdown function after memory limit error).

k) Bug #76901 – (method_exists on SPL iterator passthrough method corrupts memory).

Successfully exploitation the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the affected application.

Further information on these vulnerabilities and how they can be mitigated can be found at https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-php-could-allow-for-arbitrary-code-execution_2018-113/