Scientific Linux alert SLSA-2022:7340-1 (php-pear)


From:
               Farhan Ahmed <fahmed@fnal.gov>
To:
               scientific-linux-errata@listserv.fnal.gov
Subject:
               Security ERRATA Moderate: php-pear on SL7.x (noarch)
Date:
               Thu, 03 Nov 2022 13:30:31 -0000
Message-ID:
               <20221103133031.7128.9888@0acbe050e934>
Synopsis:          Moderate: php-pear security update
Advisory ID:       SLSA-2022:7340-1
Issue Date:        2022-11-03
CVE Numbers:       CVE-2020-28948
                   CVE-2020-28949
                   CVE-2020-36193
--

Security Fix(es):

* Archive_Tar: allows an unserialization attack because phar: is blocked
but PHAR: is not blocked (CVE-2020-28948)

* Archive_Tar: improper filename sanitization leads to file overwrites
(CVE-2020-28949)

* Archive_Tar: directory traversal due to inadequate checking of symbolic
links (CVE-2020-36193)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
--

SL7
  noarch
    php-pear-1.9.4-23.el7_9.noarch.rpm

- Scientific Linux Development Team

From:		Farhan Ahmed <fahmed@fnal.gov>
To:		scientific-linux-errata@listserv.fnal.gov
Subject:		Security ERRATA Moderate: php-pear on SL7.x (noarch)
Date:		Thu, 03 Nov 2022 13:30:31 -0000
Message-ID:		<20221103133031.7128.9888@0acbe050e934>