Security update for php7 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2020:1661-2 Final 1 1 2020-07-07T11:44:27Z current 2020-07-07T11:44:27Z 2020-07-07T11:44:27Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for php7 This update for php7 fixes the following issues: Security issue fixed: - CVE-2019-11048: Improved the handling of overly long filenames or field names in HTTP file uploads (bsc#1171999). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2020-1661,SUSE-SLE-Module-Packagehub-Subpackages-15-SP1-2020-1661 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2020/suse-su-20201661-2/ Link for SUSE-SU-2020:1661-2 https://lists.suse.com/pipermail/sle-security-updates/2020-July/007093.html E-Mail link for SUSE-SU-2020:1661-2 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1171999 SUSE Bug 1171999 https://www.suse.com/security/cve/CVE-2019-11048/ SUSE CVE CVE-2019-11048 page SUSE Linux Enterprise Module for Package Hub 15 SP1 apache2-mod_php7-7.2.5-4.58.2 php7-7.2.5-4.58.2 php7-bcmath-7.2.5-4.58.2 php7-bz2-7.2.5-4.58.2 php7-calendar-7.2.5-4.58.2 php7-ctype-7.2.5-4.58.2 php7-curl-7.2.5-4.58.2 php7-dba-7.2.5-4.58.2 php7-devel-7.2.5-4.58.2 php7-dom-7.2.5-4.58.2 php7-embed-7.2.5-4.58.2 php7-enchant-7.2.5-4.58.2 php7-exif-7.2.5-4.58.2 php7-fastcgi-7.2.5-4.58.2 php7-fileinfo-7.2.5-4.58.2 php7-fpm-7.2.5-4.58.2 php7-ftp-7.2.5-4.58.2 php7-gd-7.2.5-4.58.2 php7-gettext-7.2.5-4.58.2 php7-gmp-7.2.5-4.58.2 php7-iconv-7.2.5-4.58.2 php7-intl-7.2.5-4.58.2 php7-json-7.2.5-4.58.2 php7-ldap-7.2.5-4.58.2 php7-mbstring-7.2.5-4.58.2 php7-mysql-7.2.5-4.58.2 php7-odbc-7.2.5-4.58.2 php7-opcache-7.2.5-4.58.2 php7-openssl-7.2.5-4.58.2 php7-pcntl-7.2.5-4.58.2 php7-pdo-7.2.5-4.58.2 php7-pear-7.2.5-4.58.2 php7-pear-Archive_Tar-7.2.5-4.58.2 php7-pgsql-7.2.5-4.58.2 php7-phar-7.2.5-4.58.2 php7-posix-7.2.5-4.58.2 php7-readline-7.2.5-4.58.2 php7-shmop-7.2.5-4.58.2 php7-snmp-7.2.5-4.58.2 php7-soap-7.2.5-4.58.2 php7-sockets-7.2.5-4.58.2 php7-sodium-7.2.5-4.58.2 php7-sqlite-7.2.5-4.58.2 php7-sysvmsg-7.2.5-4.58.2 php7-sysvsem-7.2.5-4.58.2 php7-sysvshm-7.2.5-4.58.2 php7-test-7.2.5-4.58.2 php7-tidy-7.2.5-4.58.2 php7-tokenizer-7.2.5-4.58.2 php7-wddx-7.2.5-4.58.2 php7-xmlreader-7.2.5-4.58.2 php7-xmlrpc-7.2.5-4.58.2 php7-xmlwriter-7.2.5-4.58.2 php7-xsl-7.2.5-4.58.2 php7-zip-7.2.5-4.58.2 php7-zlib-7.2.5-4.58.2 php7-embed-7.2.5-4.58.2 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP1 In PHP versions 7.2.x below 7.2.31, 7.3.x below 7.3.18 and 7.4.x below 7.4.6, when HTTP file uploads are allowed, supplying overly long filenames or field names could lead PHP engine to try to allocate oversized memory storage, hit the memory limit and stop processing the request, without cleaning up temporary files created by upload request. This potentially could lead to accumulation of uncleaned temporary files exhausting the disk space on the target server. CVE-2019-11048 SUSE Linux Enterprise Module for Package Hub 15 SP1:php7-embed-7.2.5-4.58.2 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20201661-2/ https://www.suse.com/security/cve/CVE-2019-11048.html CVE-2019-11048 https://bugzilla.suse.com/1171999 SUSE Bug 1171999