Summary: | <dev-lang/php-{7.2.29,7.3.16,7.4.4}: multiple vulnerabilities (CVE-2020-{7064,7065,7066}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | mjo, php-bugs |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=718844 | ||
Whiteboard: | B3 [glsa+ cve] | ||
Package list: |
dev-lang/php-7.2.29
dev-lang/php-7.3.16
dev-lang/php-7.4.4
|
Runtime testing required: | --- |
Bug Depends on: | 714836 | ||
Bug Blocks: |
Description
GLSAMaker/CVETool Bot
2020-03-19 15:36:43 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ecac5f4b721b650a2d076167d4124c56e07bf983 commit ecac5f4b721b650a2d076167d4124c56e07bf983 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-03-19 15:27:24 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-03-19 15:38:45 +0000 dev-lang/php: bump to v7.4.4 Bug: https://bugs.gentoo.org/713484 Package-Manager: Portage-2.3.94, Repoman-2.3.21 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> dev-lang/php/Manifest | 1 + dev-lang/php/php-7.4.4.ebuild | 746 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 747 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2dfe14621bcf66d3e8ee11fba000dbf6c0cf7b99 commit 2dfe14621bcf66d3e8ee11fba000dbf6c0cf7b99 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-03-19 15:25:50 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-03-19 15:38:44 +0000 dev-lang/php: bump to v7.3.16 Bug: https://bugs.gentoo.org/713484 Package-Manager: Portage-2.3.94, Repoman-2.3.21 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> dev-lang/php/Manifest | 1 + dev-lang/php/php-7.3.16.ebuild | 756 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 757 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4e20fca4c025f9708f1508db9a68f54c1ccacdf6 commit 4e20fca4c025f9708f1508db9a68f54c1ccacdf6 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-03-19 15:24:11 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-03-19 15:38:43 +0000 dev-lang/php: bump to v7.2.29 Bug: https://bugs.gentoo.org/713484 Package-Manager: Portage-2.3.94, Repoman-2.3.21 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> dev-lang/php/Manifest | 1 + dev-lang/php/php-7.2.29.ebuild | 755 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 756 insertions(+) amd64 stable ppc stable ppc64 stable arm stable x86 stable Added to an existing GLSA request. This issue was resolved and addressed in GLSA 202003-57 at https://security.gentoo.org/glsa/202003-57 by GLSA coordinator Thomas Deutschmann (whissi). Re-opening for remaining architectures. sparc stable ia64 stable arm64 stable @maintainer(s), please cleanup The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=99f4e65f7cef12a36a016a18f3eb2a3e3397052c commit 99f4e65f7cef12a36a016a18f3eb2a3e3397052c Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-04-01 16:50:30 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-04-01 16:50:30 +0000 dev-lang/php: security cleanup (bug #713484) Bug: https://bugs.gentoo.org/713484 Package-Manager: Portage-2.3.96, Repoman-2.3.22 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> dev-lang/php/Manifest | 7 - dev-lang/php/php-7.2.26.ebuild | 750 ------------------------------------- dev-lang/php/php-7.2.27.ebuild | 750 ------------------------------------- dev-lang/php/php-7.2.28-r1.ebuild | 755 ------------------------------------- dev-lang/php/php-7.3.13.ebuild | 751 ------------------------------------- dev-lang/php/php-7.3.14.ebuild | 751 ------------------------------------- dev-lang/php/php-7.3.15-r1.ebuild | 756 -------------------------------------- dev-lang/php/php-7.4.3-r1.ebuild | 746 ------------------------------------- 8 files changed, 5266 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d8cc1e413a464528a5798b1dde931e836980c522 commit d8cc1e413a464528a5798b1dde931e836980c522 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-04-01 16:48:24 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-04-01 16:48:24 +0000 dev-lang/php: mark hppa stable (bug #713484) Bug: https://bugs.gentoo.org/713484 Package-Manager: Portage-2.3.96, Repoman-2.3.22 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> dev-lang/php/php-7.2.29.ebuild | 2 +- dev-lang/php/php-7.3.16.ebuild | 2 +- dev-lang/php/php-7.4.4.ebuild | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) Repository is clean, all done! (In reply to GLSAMaker/CVETool Bot from comment #8) > This issue was resolved and addressed in > GLSA 202003-57 at https://security.gentoo.org/glsa/202003-57 > by GLSA coordinator Thomas Deutschmann (whissi). Not sure where it is the best place to report this, but hopefully this gets seen by someone who does. The GLSA 202003-57 doesn't seem quite right: even after installing an unaffected version (eg: 7.3.17), the glsa-check still triggers for 202003-57. Please show us output of `eshowkw dev-lang/php` Keywords for dev-lang/php: | | u | | a a a p s r | n | | l m r i p h m s p i m | e u s | r | p d a m a p c x p 6 3 a s i | a s l | e | h 6 r 6 6 p 6 8 p 8 9 r c p | p e o | p | a 4 m 4 4 c 4 6 a k 0 c v s | i d t | o ----------+-----------------------------+---------+------- 7.2.29 | ~ + + + ~ + + + + o ~ + o ~ | 7 o 7.2 | gentoo 7.2.30 | ~ + ~ + ~ ~ ~ ~ ~ o ~ + o ~ | 7 o | gentoo ----------+-----------------------------+---------+------- 7.3.16 | ~ + + + ~ + + + + o ~ + o ~ | 7 o 7.3 | gentoo [I]7.3.17 | ~ + ~ + ~ ~ ~ ~ ~ o ~ + o ~ | 7 o | gentoo ----------+-----------------------------+---------+------- 7.4.4 | ~ + + + ~ + + + + o ~ + o ~ | 7 o 7.4 | gentoo 7.4.5 | ~ + ~ + ~ ~ ~ ~ ~ o ~ + o ~ | 7 o | gentoo I'm seeing the same issue. It seems old non-vulnerable versions are detected as affected by glsa:
Checking GLSA 202003-57
>>> The following updates will be performed for this GLSA:
>>> No upgrade path exists for these packages:
dev-lang/php-7.3.17, dev-lang/php-7.2.30
I believe this:
glsa-202003-57.xml: <unaffected range="rge">7.2.29</unaffected>
glsa-202003-57.xml: <unaffected range="rge">7.3.16</unaffected>
should be "ge" instead of "rge".
This would be in line with older PHP advisories like glsa-201910-01.
@ Hanno: It's not that easy. Using "ge" would mean that anything >=7.2.29, this includes vulnerable 7.3.15, is not affected. But let's move that to bug 718844. |