====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN004
_____________________________________________________________________

DATE                : 11/01/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running PHP versions prior to 7.4.14,
                                          7.3.26.

=====================================================================
https://www.php.net/ChangeLog-7.php#7.4.14
https://www.php.net/ChangeLog-7.php#7.3.26
_____________________________________________________________________

Version 7.4.14
07 Jan 2021

    Core:
        Fixed bug #74558 (Can't rebind closure returned by
Closure::fromCallable()).

        Fixed bug #80345 (PHPIZE configuration has outdated
PHP_RELEASE_VERSION).

        Fixed bug #72964 (White space not unfolded for CC/Bcc headers).

        Fixed bug #80362 (Running dtrace scripts can cause php to
crash).

        Fixed bug #80393 (Build of PHP extension fails due to
configuration gap with libtool).

        Fixed bug #80402 (configure filtering out -lpthread).

        Fixed bug #77069 (stream filter loses final block of data).

    Fileinfo:
        Fixed bug #77961 (finfo_open crafted magic parsing SIGABRT).

    FPM:
        Fixed bug #69625 (FPM returns 200 status on request without
SCRIPT_FILENAME env).

    Intl:
        Fixed bug #80425 (MessageFormatAdapter::getArgTypeList
redefined).

    OpenSSL:
        Fixed bug #80368 (OpenSSL extension fails to build against
LibreSSL due to lack of OCB support).

    Phar:
        Fixed bug #73809 (Phar Zip parse crash - mmap fail).

        Fixed bug #75102 (`PharData` says invalid checksum for valid
tar).

        Fixed bug #77322 (PharData::addEmptyDir('/') Possible integer
overflow).

    PDO MySQL:
        Fixed bug #80458 (PDOStatement::fetchAll() throws for upsert
queries).

        Fixed bug #63185 (nextRowset() ignores MySQL errors with native
prepared statements).

        Fixed bug #78152 (PDO::exec() - Bad error handling with multiple
commands).

        Fixed bug #70066 (Unexpected "Cannot execute queries while other
unbuffered queries").

        Fixed bug #71145 (Multiple statements in init command triggers
unbuffered query error).

        Fixed bug #76815 (PDOStatement cannot be GCed/closeCursor-ed
when a PROCEDURE resultset SIGNAL).

    Standard:
        Fixed bug #77423 (FILTER_VALIDATE_URL accepts URLs with invalid
userinfo). (CVE-2020-7071)

        Fixed bug #80366 (Return Value of zend_fstat() not Checked).

        Fixed bug #80411 (References to null-serialized object break
serialize()).

    Tidy:
        Fixed bug #77594 (ob_tidyhandler is never reset).

    Zlib:
        Fixed #48725 (Support for flushing in zlib stream).


_____________________________________________________________________

Version 7.3.26
07 Jan 2021

    Standard:
        Fixed bug #77423 (FILTER_VALIDATE_URL accepts URLs with invalid
userinfo). (CVE-2020-7071)

        Fixed bug #80457 (stream_get_contents() fails with maxlength=-1
or default).



=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================