PublicDateAtUSN: 2020-04-01 04:15:00 UTC
Candidate: CVE-2020-7066
PublicDate: 2020-04-01 04:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7066
 http://git.php.net/?p=php-src.git;a=commit;h=a33d05b1474caee449b88f53d61bee720c57caf7
 https://ubuntu.com/security/notices/USN-4330-1
 https://ubuntu.com/security/notices/USN-4330-2
Description:
 In PHP versions 7.2.x below 7.2.29, 7.3.x below 7.3.16 and 7.4.x below
 7.4.4, while using get_headers() with user-supplied URL, if the URL
 contains zero (\0) character, the URL will be silently truncated at it.
 This may cause some software to make incorrect assumptions about the target
 of the get_headers() and possibly send some information to a wrong server.
Ubuntu-Description:
Notes:
 sbeattie> PEAR issues should go against php-pear as of xenial
 leosilva> php5 in precise is 5.3 and does not support the Zend API
 leosilva> needed to fix this issue. Since backport this is to
 leosilva> intrusive, marking it as ignored for precise/esm.
Mitigation:
Bugs:
 https://bugs.php.net/bug.php?id=79329
Priority: medium
Discovered-by:
Assigned-to: leosilva
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N [4.3 MEDIUM]

Patches_php5:
 upstream: https://github.com/microsoft/php-src/commit/c3582855b88cfde8e69734da738803b54c2c2e26
upstream_php5: needs-triage
precise/esm_php5: ignored
trusty_php5: ignored (out of standard support)
trusty/esm_php5: released (5.5.9+dfsg-1ubuntu4.29+esm11)
xenial_php5: DNE
bionic_php5: DNE
eoan_php5: DNE
focal_php5: DNE
devel_php5: DNE

Patches_php7.0:
upstream_php7.0: needs-triage
precise/esm_php7.0: DNE
trusty_php7.0: DNE
trusty/esm_php7.0: DNE
xenial_php7.0: released (7.0.33-0ubuntu0.16.04.14)
esm-infra/xenial_php7.0: released (7.0.33-0ubuntu0.16.04.14)
bionic_php7.0: DNE
eoan_php7.0: DNE
focal_php7.0: DNE
devel_php7.0: DNE

Patches_php7.2:
upstream_php7.2: needs-triage
precise/esm_php7.2: DNE
trusty_php7.2: DNE
trusty/esm_php7.2: DNE
xenial_php7.2: DNE
bionic_php7.2: released (7.2.24-0ubuntu0.18.04.4)
eoan_php7.2: DNE
focal_php7.2: DNE
devel_php7.2: DNE

Patches_php7.3:
upstream_php7.3: needs-triage
precise/esm_php7.3: DNE
trusty_php7.3: DNE
trusty/esm_php7.3: DNE
xenial_php7.3: DNE
bionic_php7.3: DNE
eoan_php7.3: released (7.3.11-0ubuntu0.19.10.4)
focal_php7.3: DNE
devel_php7.3: DNE

Patches_php7.4:
upstream_php7.4: released (7.4.4)
precise/esm_php7.4: DNE
trusty_php7.4: DNE
trusty/esm_php7.4: DNE
xenial_php7.4: DNE
bionic_php7.4: DNE
eoan_php7.4: DNE
focal_php7.4: released (7.4.3-4ubuntu1.1)
devel_php7.4: released (7.4.3-4ubuntu2)