UbuntuUpdates.org

Package "php-pear"

Name: php-pear

Description:

PEAR Base System

Latest version: 1:1.10.9+submodules+notgz-1ubuntu0.20.04.3
Release: focal (20.04)
Level: updates
Repository: main
Homepage: https://pear.php.net/package/PEAR

Links


Download "php-pear"


Other versions of "php-pear" in Focal

Repository Area Version
base main 1:1.10.9+submodules+notgz-1
security main 1:1.10.9+submodules+notgz-1ubuntu0.20.04.3

Changelog

Version: 1:1.10.9+submodules+notgz-1ubuntu0.20.04.3 2021-07-29 18:06:24 UTC

  php-pear (1:1.10.9+submodules+notgz-1ubuntu0.20.04.3) focal-security; urgency=medium

  * SECURITY UPDATE: incorrect symlink extraction
    - debian/patches/CVE-2021-32610.patch: properly fix symbolic link path
      traversal in submodules/Archive_Tar/Archive/Tar.php.
    - CVE-2021-32610

 -- Marc Deslauriers <email address hidden> Wed, 28 Jul 2021 10:48:22 -0400

Source diff to previous version
CVE-2021-32610 In Archive_Tar before 1.4.14, symlinks can refer to targets outside of ...

Version: 1:1.10.9+submodules+notgz-1ubuntu0.20.04.2 2021-02-08 15:07:33 UTC

  php-pear (1:1.10.9+submodules+notgz-1ubuntu0.20.04.2) focal-security; urgency=medium

  * SECURITY UPDATE: directory traversal attack in Archive_Tar
    - debian/patches/CVE-2020-36193-1.patch: disallow symlinks to
      out-of-path filenames in submodules/Archive_Tar/Archive/Tar.php.
    - debian/patches/CVE-2020-36193-2.patch: fix out-of-path check for
      virtual relative symlink in submodules/Archive_Tar/Archive/Tar.php.
    - debian/patches/CVE-2020-36193-3.patch: PHP compat fix in
      submodules/Archive_Tar/Archive/Tar.php..
    - CVE-2020-36193

 -- Marc Deslauriers <email address hidden> Thu, 04 Feb 2021 10:37:22 -0500

Source diff to previous version
CVE-2020-36193 Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue

Version: 1:1.10.9+submodules+notgz-1ubuntu0.20.04.1 2020-12-01 15:07:21 UTC

  php-pear (1:1.10.9+submodules+notgz-1ubuntu0.20.04.1) focal-security; urgency=medium

  * SECURITY UPDATE: unserialization attack in Archive_Tar
    - debian/patches/CVE-2020-2894x.patch: catch additional malicious or
      crafted filenames in submodules/Archive_Tar/Archive/Tar.php.
    - CVE-2020-28948
    - CVE-2020-28949

 -- Marc Deslauriers <email address hidden> Mon, 30 Nov 2020 09:55:16 -0500

CVE-2020-2894 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.4
CVE-2020-28948 Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.
CVE-2020-28949 Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to o



About   -   Send Feedback to @ubuntu_updates