From the changelog for 7.3.26:
"(FILTER_VALIDATE_URL accepts URLs with invalid userinfo). (CVE-2020-7071)"
Applies to the others too AFAICT.
They've patched 7.4 and 7.3 but not 8.0 or 7.2 yet.
The various patches can be found in the bug link.
(In reply to Sam James from comment #1)
> They've patched 7.4 and 7.3 but not 8.0 or 7.2 yet.
> The various patches can be found in the bug link.
7.2 will be masked and removed since it is EOL
The bug has been referenced in the following commit(s):
Author: Brian Evans <firstname.lastname@example.org>
AuthorDate: 2021-01-07 16:55:10 +0000
Commit: Brian Evans <email@example.com>
CommitDate: 2021-01-07 16:55:10 +0000
dev-lang/php: Security bump for 7.4.14
Signed-off-by: Brian Evans <firstname.lastname@example.org>
dev-lang/php/Manifest | 1 +
dev-lang/php/php-7.4.14.ebuild | 752 +++++++++++++++++++++++++++++++++++++++++
2 files changed, 753 insertions(+)
Unable to check for sanity:
> dependent bug #764356 is missing keywords
All sanity-check issues have been resolved
Added to an existing GLSA request.
This issue was resolved and addressed in
GLSA 202105-23 at https://security.gentoo.org/glsa/202105-23
by GLSA coordinator Thomas Deutschmann (whissi).