Arch Linux 804 Published by

A php security update has been released for Arch Linux.



Arch Linux Security Advisory ASA-202102-15
==========================================

Severity: Medium
Date : 2021-02-07
CVE-ID : CVE-2021-21702
Package : php
Type : denial of service
Remote : Yes
Link :   https://security.archlinux.org/AVG-1531

Summary
=======

The package php before version 8.0.2-1 is vulnerable to denial of
service.

Resolution
==========

Upgrade to 8.0.2-1.

# pacman -Syu "php>=8.0.2-1"

The problem has been fixed upstream in version 8.0.2.

Workaround
==========

None.

Description
===========

A security issue was found in PHP before versions 8.0.2, 7.4.15 and
7.3.27. PHP will crash with a SIGSEGV via null-pointer dereference
whenever an XML is provided to the SoapClient query() function without
an existing field. The issue is fixed in versions 8.0.2, 7.4.15 and
7.3.27.

Impact
======

A remote attacker might be able to crash PHP via a specially crafted
XML payload.

References
==========

  https://bugs.php.net/bug.php?id=80672
  https://git.php.net/?p=php-src.git;a=commitdiff;h=f733ee195462201b2cbd1d17df2f752ee88771ba
  https://git.php.net/?p=php-src.git;a=commitdiff;h=91655b45ea0a81f2d3003a7e6604e5f419d84df4
  https://git.php.net/?p=php-src.git;a=commitdiff;h=3c939e3f69955d087e0bb671868f7267dfb2a502
  https://security.archlinux.org/CVE-2021-21702