====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN210
_____________________________________________________________________

DATE                : 17/04/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running PHP versions prior to 7.4.5,
                                         7.3.17.

=====================================================================
https://www.php.net/archive/2020.php#2020-04-16-2
https://www.php.net/archive/2020.php#2020-04-16-1
http://www.php.net/ChangeLog-7.php#7.4.5
https://www.php.net/ChangeLog-7.php#7.3.17
_____________________________________________________________________

PHP 7.4.5 Released
16 Apr 2020

The PHP development team announces the immediate availability of PHP
7.4.5. This is a security release which also contains several bug fixes.

All PHP 7.4 users are encouraged to upgrade to this version.

For source downloads of PHP 7.4.5 please visit our downloads page,
Windows source and binaries can be found on windows.php.net/download/.
The list of changes is recorded in the ChangeLog.


_____________________________________________________________________

PHP 7.3.17 Released
16 Apr 2020

The PHP development team announces the immediate availability of PHP
7.3.17 This is a security release which also contains several bug fixes.

All PHP 7.3 users are encouraged to upgrade to this version.

For source downloads of PHP 7.3.17 please visit our downloads page,
Windows source and binaries can be found on windows.php.net/download/.
The list of changes is recorded in the ChangeLog.

_____________________________________________________________________

Version 7.4.5
16 Apr 2020

    Core:
        Fixed bug #79364 (When copy empty array, next key is
         unspecified).
        Fixed bug #78210 (Invalid pointer address).
    CURL:
        Fixed bug #79199 (curl_copy_handle() memory leak).
    Date:
        Fixed bug #79396 (DateTime hour incorrect during DST jump
         forward).
        Fixed bug #74940 (DateTimeZone loose comparison always true).
    FPM:
        Implement request #77062 (Allow numeric [UG]ID in FPM listen.
         {owner,group}) (Andre Nathan)
    Iconv:
        Fixed bug #79200 (Some iconv functions cut Windows-1258).
    OPcache:
        Fixed bug #79412 (Opcache chokes and uses 100% CPU on specific
         script).
    Session:
        Fixed bug #79413 (session_create_id() fails for active
         sessions).
    Shmop:
        Fixed bug #79427 (Integer Overflow in shmop_open()).
    SimpleXML:
        Fixed bug #61597 (SXE properties may lack attributes and
         content).
    SOAP:
        Fixed bug #79357 (SOAP request segfaults when any request
         parameter is missing).
    Spl:
        Fixed bug #75673 (SplStack::unserialize() behavior).
        Fixed bug #79393 (Null coalescing operator failing with
         SplFixedArray).
    Standard:
        Fixed bug #79330 (shell_exec() silently truncates after a null
          byte).
        Fixed bug #79410 (system() swallows last chunk if it is exactly
         4095 bytes without newline).
        Fixed bug #79465 (OOB Read in urldecode()). (CVE-2020-7067)
    Zip:
        Fixed bug #79296 (ZipArchive::open fails on empty file).
        Fixed bug #79424 (php_zip_glob uses gl_pathc after call to
         globfree).


_____________________________________________________________________

Version 7.3.17
16 Apr 2020

    Core:
        Fixed bug #79364 (When copy empty array, next key is unspecified).
        Fixed bug #78210 (Invalid pointer address).
    CURL:
        Fixed bug #79199 (curl_copy_handle() memory leak).
    Date:
        Fixed bug #79396 (DateTime hour incorrect during DST jump
         forward).
    Iconv:
        Fixed bug #79200 (Some iconv functions cut Windows-1258).
    OPcache:
        Fixed bug #79412 (Opcache chokes and uses 100% CPU on specific
          script).
    Session:
        Fixed bug #79413 (session_create_id() fails for active
         sessions).
    Shmop:
        Fixed bug #79427 (Integer Overflow in shmop_open()).
    SimpleXML:
        Fixed bug #61597 (SXE properties may lack attributes and
         content).
    Spl:
        Fixed bug #75673 (SplStack::unserialize() behavior).
        Fixed bug #79393 (Null coalescing operator failing with
         SplFixedArray).
    Standard:
        Fixed bug #79330 (shell_exec() silently truncates after a null
         byte).
        Fixed bug #79465 (OOB Read in urldecode()). (CVE-2020-7067)
        Fixed bug #79410 (system() swallows last chunk if it is exactly
         4095 bytes without newline).
    Zip:
        Fixed bug #79296 (ZipArchive::open fails on empty file).
        Fixed bug #79424 (php_zip_glob uses gl_pathc after call to
         globfree).



=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================