Change log:
CVEs Patched:
- CVE-2020-7061: heap-buffer-overflow in phar_extract_file
- CVE-2020-7062: Null Pointer Dereference in PHP Session Upload Progress
- CVE-2020-7063: Files added to tar with Phar::buildFromIterator have all-access permissions
I’d like to share a tool I’ve created to automatically detect these security releases and notify if you’re using an un-patched version of PHP: PHP Version Audit. It can be ran manually, but it was designed be ran automatically, like in a build pipeline. Here is what the output looks like today for PHP 7.4.2:
docker run --rm -t lightswitch05/php-version-audit:latest --version=7.4.2 --fail-security { "auditVersion": "7.4.2", "hasVulnerabilities": true, "hasSecuritySupport": true, "hasActiveSupport": true, "isLatestPatchVersion": false, "isLatestMinorVersion": false, "isLatestVersion": false, "latestPatchVersion": "7.4.3", "latestMinorVersion": "7.4.3", "latestVersion": "7.4.3", "activeSupportEndDate": "2021-11-28T00:00:00+0000", "securitySupportEndDate": "2022-11-28T00:00:00+0000", "rulesLastUpdatedDate": "2020-02-20T14:04:02+0000", "vulnerabilities": { "CVE-2020-7061": null, "CVE-2020-7062": null, "CVE-2020-7063": null } }
The --fail-security
will cause an exit code if any CVEs are found, or security support has ended. At the moment, the CVEs have a null
description because the National Vulnerability Database does not yet have entries for these new CVEs. It will automatically update with the descriptions and CVE score once they are published.
submitted by /u/lightswitch05
[link] [comments]