package/php: security bump to version 7.4.11

- Fix CVE-2020-7069: In PHP versions 7.2.x below 7.2.34, 7.3.x below
  7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with
  openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the
  IV is actually used. This can lead to both decreased security and
  incorrect encryption data.
- Fix CVE-2020-7070: In PHP versions 7.2.x below 7.2.34, 7.3.x below
  7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP
  cookie values, the cookie names are url-decoded. This may lead to
  cookies with prefixes like __Host confused with cookies that decode to
  such prefix, thus leading to an attacker being able to forge cookie
  which is supposed to be secure. See also CVE-2020-8184 for more
  information.

https://www.php.net/ChangeLog-7.php#7.4.11

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

diff --git a/package/php/php.hash b/package/php/php.hash
index c383c471eb7dba606a010654bb08e7cce43b41f2..77a0feb555f2d78a98bfc071152b37964c3c8617 100644 (file)
--- a/package/php/php.hash
+++ b/package/php/php.hash
@@ -1,5 +1,5 @@
 # From https://www.php.net/downloads.php
-sha256  c2d90b00b14284588a787b100dee54c2400e7db995b457864d66f00ad64fb010  php-7.4.10.tar.xz
+sha256  5d31675a9b9c21b5bd03389418218c30b26558246870caba8eb54f5856e2d6ce  php-7.4.11.tar.xz
 
 # License file
 sha256  0967ad6cf4b7fe81d38709d7aaef3fecb3bd685be7eebb37b864aa34c991baa7  LICENSE

diff --git a/package/php/php.mk b/package/php/php.mk
index 3047bfe94d2789036b6b0001c10635cf19916200..6b528cdc3342b368fc7cf1568280cdb94259e53c 100644 (file)
--- a/package/php/php.mk
+++ b/package/php/php.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-PHP_VERSION = 7.4.10
+PHP_VERSION = 7.4.11
 PHP_SITE = http://www.php.net/distributions
 PHP_SOURCE = php-$(PHP_VERSION).tar.xz
 PHP_INSTALL_STAGING = YES