Detections
Analytics

Fedora 30 : php (2019-ec40d89812)

high Nessus Plugin ID 127535

Language:

Synopsis

The remote Fedora host is missing a security update.

Description

**PHP version 7.2.21** (01 Aug 2019)

**Date:**

 - Fixed bug php#69044 (discrepency between time and microtime). (krakjoe)

**EXIF:**

 - Fixed bug php#78256 (heap-buffer-overflow on exif_process_user_comment). (CVE-2019-11042) (Stas)

 - Fixed bug php#78222 (heap-buffer-overflow on exif_scan_thumbnail). (CVE-2019-11041) (Stas)

**Fileinfo:**

 - Fixed bug php#78183 (finfo_file shows wrong mime-type for .tga file). (Joshua Westerheide)

**FTP:**

 - Fixed bug php#77124 (FTP with SSL memory leak). (Nikita)

**Libxml:**

 - Fixed bug php#78279 (libxml_disable_entity_loader settings is shared between requests (cgi-fcgi)).
 (Nikita)

**LiteSpeed:**

 - Updated to LiteSpeed SAPI V7.4.3 (increased response header count limit from 100 to 1000, added crash handler to cleanly shutdown PHP request, added CloudLinux mod_lsapi mode). (George Wang)

 - Fixed bug php#76058 (After 'POST data can't be buffered', using php://input makes huge tmp files).
 (George Wang)

**Openssl:**

 - Fixed bug php#78231 (Segmentation fault upon stream_socket_accept of exported socket-to-stream).
 (Nikita)

**OPcache:**

 - Fixed bug php#78189 (file cache strips last character of uname hash). (cmb)

 - Fixed bug php#78202 (Opcache stats for cache hits are capped at 32bit NUM). (cmb)

 - Fixed bug php#78291 (opcache_get_configuration doesn't list all directives). (Andrew Collington)

**Phar:**

 - Fixed bug php#77919 (Potential UAF in Phar RSHUTDOWN).
 (cmb)

**Phpdbg:**

 - Fixed bug php#78297 (Include unexistent file memory leak). (Nikita)

**PDO_Sqlite:**

 - Fixed bug php#78192 (SegFault when reuse statement after schema has changed). (Vincent Quatrevieux)

**Standard:**

 - Fixed bug php#78241 (touch() does not handle dates after 2038 in PHP 64-bit). (cmb)

 - Fixed bug php#78269 (password_hash uses weak options for argon2). (Remi)

**XMLRPC:**

 - Fixed bug php#78173 (XML-RPC mutates immutable objects during encoding). (Asher Baker)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected php package.

See Also

https://bodhi.fedoraproject.org/updates/FEDORA-2019-ec40d89812

Plugin Details

Severity: High

ID: 127535

File Name: fedora_2019-ec40d89812.nasl

Version: 1.5

Type: local

Agent: unix

Published: 8/12/2019

Updated: 1/6/2020

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.0

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:P

CVSS v3

Risk Factor: High

Base Score: 7.1

Temporal Score: 6.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:fedoraproject:fedora:php, cpe:/o:fedoraproject:fedora:30

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 8/8/2019

Vulnerability Publication Date: 8/9/2019

Reference Information

CVE: CVE-2019-11041, CVE-2019-11042