Arch Linux alert ASA-202102-14 (php7)
| From: | Remi Gacogne via arch-security <arch-security@lists.archlinux.org> | |
| To: | arch-security@archlinux.org | |
| Subject: | [ASA-202102-14] php7: denial of service | |
| Date: | Fri, 12 Feb 2021 08:07:27 +0100 | |
| Message-ID: | <945313d4-458f-705f-9fda-dcadc2cbe14a@archlinux.org> | |
| Cc: | Remi Gacogne <rgacogne@archlinux.org> |
Arch Linux Security Advisory ASA-202102-14 ========================================== Severity: Medium Date : 2021-02-06 CVE-ID : CVE-2021-21702 Package : php7 Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-1532 Summary ======= The package php7 before version 7.4.15-1 is vulnerable to denial of service. Resolution ========== Upgrade to 7.4.15-1. # pacman -Syu "php7>=7.4.15-1" The problem has been fixed upstream in version 7.4.15. Workaround ========== None. Description =========== A security issue was found in PHP before versions 8.0.2, 7.4.15 and 7.3.27. PHP will crash with a SIGSEGV via null-pointer dereference whenever an XML is provided to the SoapClient query() function without an existing field. The issue is fixed in versions 8.0.2, 7.4.15 and 7.3.27. Impact ====== A remote attacker might be able to crash PHP via a specially crafted XML payload. References ========== https://bugs.php.net/bug.php?id=80672 https://git.php.net/?p=php-src.git;a=commitdiff;h=f733ee1... https://git.php.net/?p=php-src.git;a=commitdiff;h=91655b4... https://git.php.net/?p=php-src.git;a=commitdiff;h=3c939e3... https://security.archlinux.org/CVE-2021-21702