From patchwork Sat Oct  3 20:21:31 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Fabrice Fontaine <fontaine.fabrice@gmail.com>
X-Patchwork-Id: 1376353
Return-Path: <buildroot-bounces@busybox.net>
X-Original-To: incoming-buildroot@patchwork.ozlabs.org
Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net
 (client-ip=140.211.166.136; helo=silver.osuosl.org;
 envelope-from=buildroot-bounces@busybox.net; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
 dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20161025 header.b=R53UIMzv;
	dkim-atps=neutral
Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4C3dZ03cwzz9sSG
	for <incoming-buildroot@patchwork.ozlabs.org>;
 Sun,  4 Oct 2020 07:22:00 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
	by silver.osuosl.org (Postfix) with ESMTP id C687520352;
	Sat,  3 Oct 2020 20:21:56 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from silver.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 3XBNgS4WFkpP; Sat,  3 Oct 2020 20:21:53 +0000 (UTC)
Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34])
	by silver.osuosl.org (Postfix) with ESMTP id B89AF2036B;
	Sat,  3 Oct 2020 20:21:53 +0000 (UTC)
X-Original-To: buildroot@lists.busybox.net
Delivered-To: buildroot@osuosl.org
Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137])
 by ash.osuosl.org (Postfix) with ESMTP id 3445A1BF2F4
 for <buildroot@lists.busybox.net>; Sat,  3 Oct 2020 20:21:43 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by fraxinus.osuosl.org (Postfix) with ESMTP id 2E2A685643
 for <buildroot@lists.busybox.net>; Sat,  3 Oct 2020 20:21:43 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from fraxinus.osuosl.org ([127.0.0.1])
 by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id fSw4B0MP14yZ for <buildroot@lists.busybox.net>;
 Sat,  3 Oct 2020 20:21:42 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com
 [209.85.128.43])
 by fraxinus.osuosl.org (Postfix) with ESMTPS id 4544C85640
 for <buildroot@buildroot.org>; Sat,  3 Oct 2020 20:21:42 +0000 (UTC)
Received: by mail-wm1-f43.google.com with SMTP id j136so5072134wmj.2
 for <buildroot@buildroot.org>; Sat, 03 Oct 2020 13:21:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=ZTZJIZvZa3k1kP0F2QhKChdRQ/kVg+YC12Smt6k6WGk=;
 b=R53UIMzvwEit/ixK8PuPeJ7AlgxLUj3JcPDaTllLxouknsbGqBJrFjSJq3xjMnr4rg
 JfCbWV/nf4H4HynKZIXAePIFAYx88pvC+VpEJ98YguMTHloUA313tkNXoYUDEW3IVyE9
 Ic8ZFqubMSfAA3mFgl/7YK5UxicgvGsRk5RdMPJRkCp2Eu/1+P4dkckZ40iSUSwAH17k
 iYrhDt3KEykNEdYftKqhSdkaOgKSt/MHTREPTHMJKZAp3sPgZkkK7jf4tmBzYfdfYHff
 rB3MtwOj+mamU6MhDzPqHRrU7+ecnFb0QwboT06DYteQ3dM+I3UtZWIUXBBuSPjLT6D5
 0GBA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=ZTZJIZvZa3k1kP0F2QhKChdRQ/kVg+YC12Smt6k6WGk=;
 b=Ndwv1/y34nHdh60t1uomsN8QGCTMtJ4Y20xrejBkC4mpedV/EmXXBbk0Rs0xTVvCbd
 5sa4/AC0AzMamLfAWUT9FJbM5C6x1xvvfQYzALz27mrdrA/Nj218F5mShwZVCq2TvNFb
 IQm4SjY4/DJhcsCPJjUuDeNQNMH+UWOgiEV5L6w9hMtc5jHvtSqqTf1gnxtw2q9dZ9DL
 12zbwf56ELTOtI26gL3gd7uE1EGZvMhFzqLL4e9dZtNGGul10JVNsJg9D7o7rod1aKO6
 Z+SaLfaR14cljesJ6bGYbcEufod2hFmt4jdJKkvh82o7YcTr+0PsOtP+/4LmEfthRGvS
 JaXw==
X-Gm-Message-State: AOAM532DrSpZUAkRYFFUAJKJ7Xb+ykYIpyr+VeDflXi2ItCQ33XhfrEg
 A9/GDGQr5rVxs94mbSsDRf6oKGdBBvz+kg==
X-Google-Smtp-Source: 
 ABdhPJzxo92sckFM/THCJjQ1OunGJSkkir54cslEfFb/nuSg2Dg+6dPllOToDEzGpOlIWNwV9nqRnw==
X-Received: by 2002:a7b:c255:: with SMTP id b21mr8818173wmj.17.1601756500360;
 Sat, 03 Oct 2020 13:21:40 -0700 (PDT)
Received: from kali.home
 (2a01cb0881b76d00c2afd0dfa851d2b9.ipv6.abo.wanadoo.fr.
 [2a01:cb08:81b7:6d00:c2af:d0df:a851:d2b9])
 by smtp.gmail.com with ESMTPSA id g14sm6380873wrv.25.2020.10.03.13.21.39
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Sat, 03 Oct 2020 13:21:39 -0700 (PDT)
From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
To: buildroot@buildroot.org
Date: Sat,  3 Oct 2020 22:21:31 +0200
Message-Id: <20201003202131.288348-1-fontaine.fabrice@gmail.com>
X-Mailer: git-send-email 2.28.0
MIME-Version: 1.0
Subject: [Buildroot] [PATCH 1/1] package/php: security bump to version 7.4.11
X-BeenThere: buildroot@busybox.net
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.busybox.net>
List-Unsubscribe: <http://lists.busybox.net/mailman/options/buildroot>,
 <mailto:buildroot-request@busybox.net?subject=unsubscribe>
List-Archive: <http://lists.busybox.net/pipermail/buildroot/>
List-Post: <mailto:buildroot@busybox.net>
List-Help: <mailto:buildroot-request@busybox.net?subject=help>
List-Subscribe: <http://lists.busybox.net/mailman/listinfo/buildroot>,
 <mailto:buildroot-request@busybox.net?subject=subscribe>
Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>,
 Adam Duskett <aduskett@gmail.com>
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

- Fix CVE-2020-7069: In PHP versions 7.2.x below 7.2.34, 7.3.x below
  7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with
  openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the
  IV is actually used. This can lead to both decreased security and
  incorrect encryption data.
- Fix CVE-2020-7070: In PHP versions 7.2.x below 7.2.34, 7.3.x below
  7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP
  cookie values, the cookie names are url-decoded. This may lead to
  cookies with prefixes like __Host confused with cookies that decode to
  such prefix, thus leading to an attacker being able to forge cookie
  which is supposed to be secure. See also CVE-2020-8184 for more
  information.

https://www.php.net/ChangeLog-7.php#7.4.11

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/php/php.hash | 2 +-
 package/php/php.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/php/php.hash b/package/php/php.hash
index c383c471eb..77a0feb555 100644
--- a/package/php/php.hash
+++ b/package/php/php.hash
@@ -1,5 +1,5 @@
 # From https://www.php.net/downloads.php
-sha256  c2d90b00b14284588a787b100dee54c2400e7db995b457864d66f00ad64fb010  php-7.4.10.tar.xz
+sha256  5d31675a9b9c21b5bd03389418218c30b26558246870caba8eb54f5856e2d6ce  php-7.4.11.tar.xz
 
 # License file
 sha256  0967ad6cf4b7fe81d38709d7aaef3fecb3bd685be7eebb37b864aa34c991baa7  LICENSE
diff --git a/package/php/php.mk b/package/php/php.mk
index 3047bfe94d..6b528cdc33 100644
--- a/package/php/php.mk
+++ b/package/php/php.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-PHP_VERSION = 7.4.10
+PHP_VERSION = 7.4.11
 PHP_SITE = http://www.php.net/distributions
 PHP_SOURCE = php-$(PHP_VERSION).tar.xz
 PHP_INSTALL_STAGING = YES