MGASA-2020-0387

Advisory lineage Upstream: 1 Downstream: 0

Upstream

CVE-2020-7070

Published: 16 Oct 2020, 17:04

Last modified:16 Apr 2026, 04:25

Vulnerability Summary

Overall Risk (default)

minimal

0/100

CVSS Score

No data

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

16 Oct 2020, 17:04

Published

Vulnerability first disclosed

16 Apr 2026, 04:25

Last Modified

Vulnerability information updated

Description

Updated php packages fix a security vulnerability In PHP versions 7.2.x when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. (CVE-2020-7070) These updated packages also fix several bugs: Core: - realpath() erroneously resolves link to link - Stack use-after-scope in define() - getimagesize function silently truncates after a null byte - Memleak when coercing integers to string via variadic argument Fileinfo: finfo_file crash (FILEINFO_MIME) LDAP: Fixed memory leaks. OPCache: opcache.file_cache causes SIGSEGV when custom opcode handlers changed. Standard: Memory leak in str_replace of empty string

Affected Systems

mageia•php
< 7.3.23-1.mga7

MGASA-2020-0387

Vulnerability Summary

Timeline

Description

Affected Systems

References (5)