Security update for php7 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:1703-1 Final 1 1 2020-10-20T08:23:51Z current 2020-10-20T08:23:51Z 2020-10-20T08:23:51Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for php7 This update for php7 fixes the following issues: - CVE-2020-7069: Fixed an issue when AES-CCM mode was used with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the IV was used (bsc#1177351). - CVE-2020-7070: Fixed an issue where percent-encoded cookies could have been used to overwrite existing prefixed cookie names (bsc#1177352). This update was imported from the SUSE:SLE-15-SP2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-1703 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4CIBZMPAQTIYCAHXU3LMPKR765GUY27C/ E-Mail link for openSUSE-SU-2020:1703-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1177351 SUSE Bug 1177351 https://bugzilla.suse.com/1177352 SUSE Bug 1177352 https://www.suse.com/security/cve/CVE-2020-7069/ SUSE CVE CVE-2020-7069 page https://www.suse.com/security/cve/CVE-2020-7070/ SUSE CVE CVE-2020-7070 page openSUSE Leap 15.2 apache2-mod_php7-7.4.6-lp152.2.9.1 php7-7.4.6-lp152.2.9.1 php7-bcmath-7.4.6-lp152.2.9.1 php7-bz2-7.4.6-lp152.2.9.1 php7-calendar-7.4.6-lp152.2.9.1 php7-ctype-7.4.6-lp152.2.9.1 php7-curl-7.4.6-lp152.2.9.1 php7-dba-7.4.6-lp152.2.9.1 php7-devel-7.4.6-lp152.2.9.1 php7-dom-7.4.6-lp152.2.9.1 php7-embed-7.4.6-lp152.2.9.1 php7-enchant-7.4.6-lp152.2.9.1 php7-exif-7.4.6-lp152.2.9.1 php7-fastcgi-7.4.6-lp152.2.9.1 php7-fileinfo-7.4.6-lp152.2.9.1 php7-firebird-7.4.6-lp152.2.9.1 php7-fpm-7.4.6-lp152.2.9.1 php7-ftp-7.4.6-lp152.2.9.1 php7-gd-7.4.6-lp152.2.9.1 php7-gettext-7.4.6-lp152.2.9.1 php7-gmp-7.4.6-lp152.2.9.1 php7-iconv-7.4.6-lp152.2.9.1 php7-intl-7.4.6-lp152.2.9.1 php7-json-7.4.6-lp152.2.9.1 php7-ldap-7.4.6-lp152.2.9.1 php7-mbstring-7.4.6-lp152.2.9.1 php7-mysql-7.4.6-lp152.2.9.1 php7-odbc-7.4.6-lp152.2.9.1 php7-opcache-7.4.6-lp152.2.9.1 php7-openssl-7.4.6-lp152.2.9.1 php7-pcntl-7.4.6-lp152.2.9.1 php7-pdo-7.4.6-lp152.2.9.1 php7-pgsql-7.4.6-lp152.2.9.1 php7-phar-7.4.6-lp152.2.9.1 php7-posix-7.4.6-lp152.2.9.1 php7-readline-7.4.6-lp152.2.9.1 php7-shmop-7.4.6-lp152.2.9.1 php7-snmp-7.4.6-lp152.2.9.1 php7-soap-7.4.6-lp152.2.9.1 php7-sockets-7.4.6-lp152.2.9.1 php7-sodium-7.4.6-lp152.2.9.1 php7-sqlite-7.4.6-lp152.2.9.1 php7-sysvmsg-7.4.6-lp152.2.9.1 php7-sysvsem-7.4.6-lp152.2.9.1 php7-sysvshm-7.4.6-lp152.2.9.1 php7-test-7.4.6-lp152.2.9.1 php7-tidy-7.4.6-lp152.2.9.1 php7-tokenizer-7.4.6-lp152.2.9.1 php7-xmlreader-7.4.6-lp152.2.9.1 php7-xmlrpc-7.4.6-lp152.2.9.1 php7-xmlwriter-7.4.6-lp152.2.9.1 php7-xsl-7.4.6-lp152.2.9.1 php7-zip-7.4.6-lp152.2.9.1 php7-zlib-7.4.6-lp152.2.9.1 apache2-mod_php7-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-bcmath-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-bz2-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-calendar-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-ctype-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-curl-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-dba-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-devel-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-dom-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-embed-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-enchant-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-exif-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-fastcgi-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-fileinfo-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-firebird-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-fpm-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-ftp-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-gd-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-gettext-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-gmp-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-iconv-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-intl-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-json-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-ldap-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-mbstring-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-mysql-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-odbc-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-opcache-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-openssl-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-pcntl-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-pdo-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-pgsql-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-phar-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-posix-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-readline-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-shmop-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-snmp-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-soap-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-sockets-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-sodium-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-sqlite-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-sysvmsg-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-sysvsem-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-sysvshm-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-test-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-tidy-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-tokenizer-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-xmlreader-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-xmlrpc-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-xmlwriter-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-xsl-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-zip-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 php7-zlib-7.4.6-lp152.2.9.1 as a component of openSUSE Leap 15.2 In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the IV is actually used. This can lead to both decreased security and incorrect encryption data. CVE-2020-7069 openSUSE Leap 15.2:apache2-mod_php7-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-bcmath-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-bz2-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-calendar-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-ctype-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-curl-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-dba-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-devel-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-dom-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-embed-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-enchant-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-exif-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-fastcgi-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-fileinfo-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-firebird-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-fpm-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-ftp-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-gd-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-gettext-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-gmp-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-iconv-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-intl-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-json-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-ldap-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-mbstring-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-mysql-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-odbc-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-opcache-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-openssl-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-pcntl-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-pdo-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-pgsql-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-phar-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-posix-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-readline-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-shmop-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-snmp-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-soap-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-sockets-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-sodium-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-sqlite-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-sysvmsg-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-sysvsem-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-sysvshm-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-test-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-tidy-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-tokenizer-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-xmlreader-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-xmlrpc-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-xmlwriter-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-xsl-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-zip-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-zlib-7.4.6-lp152.2.9.1 important 6.4 AV:N/AC:L/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4CIBZMPAQTIYCAHXU3LMPKR765GUY27C/ https://www.suse.com/security/cve/CVE-2020-7069.html CVE-2020-7069 https://bugzilla.suse.com/1177351 SUSE Bug 1177351 In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-8184 for more information. CVE-2020-7070 openSUSE Leap 15.2:apache2-mod_php7-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-bcmath-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-bz2-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-calendar-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-ctype-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-curl-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-dba-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-devel-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-dom-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-embed-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-enchant-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-exif-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-fastcgi-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-fileinfo-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-firebird-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-fpm-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-ftp-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-gd-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-gettext-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-gmp-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-iconv-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-intl-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-json-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-ldap-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-mbstring-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-mysql-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-odbc-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-opcache-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-openssl-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-pcntl-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-pdo-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-pgsql-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-phar-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-posix-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-readline-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-shmop-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-snmp-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-soap-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-sockets-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-sodium-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-sqlite-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-sysvmsg-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-sysvsem-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-sysvshm-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-test-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-tidy-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-tokenizer-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-xmlreader-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-xmlrpc-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-xmlwriter-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-xsl-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-zip-7.4.6-lp152.2.9.1 openSUSE Leap 15.2:php7-zlib-7.4.6-lp152.2.9.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4CIBZMPAQTIYCAHXU3LMPKR765GUY27C/ https://www.suse.com/security/cve/CVE-2020-7070.html CVE-2020-7070 https://bugzilla.suse.com/1177352 SUSE Bug 1177352