TTCSIRT-173.101618: TT-CSIRT Advisory – PHP Security Updates
PHP has released a security update stating that the following vulnerabilities have been discovered in PHP ver 7.2.11 & 7.1.23:
a) Bug #66828 – (iconv_mime_encode Q-encoding longer than it should be).
b) Bug #73457 – (Wrong error message when fopen FTP wrapped fails to open data connection).
c) Bug #74454 – (Wrong exception being thrown when using ReflectionMethod).
d) Bug #74764 – (Bindto IPv6 works with file_get_contents but fails with stream_socket_client).
e) Bug #75273 – (php_zlib_inflate_filter() may not update bytes_consumed).
f) Bug #75533 – (array_reduce is slow when $carry is large array).
g) Bug #75696 – (posix_getgrnam fails to print details of group).
h) Bug #76480 – (Use curl_multi_wait() so that timeouts are respected).
i) Bug #76832 – (ZendOPcache.MemoryBase periodically deleted by the OS).
j) Bug #76846 – (Segfault in shutdown function after memory limit error).
k) Bug #76901 – (method_exists on SPL iterator passthrough method corrupts memory).
Successfully exploitation the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the affected application.
|Further information on these vulnerabilities and how they can be mitigated can be found at https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-php-could-allow-for-arbitrary-code-execution_2018-113/|