Update NEWS & UPGRADING

author: Stanislav Malyshev <stas@php.net> 2020-09-28 21:34:52 -0700
committer: Stanislav Malyshev <stas@php.net> 2020-09-28 21:38:43 -0700
commit: 7bc112a142720fdbd553e5bcdbbe98c10d10928a (patch)
tree: 84199f3e33d1eb2401d38b7248b76b266bd1d5e0
parent: 6559fe912661ca5ce5f0eeeb591d928451428ed0 (diff)
download: php-git-7bc112a142720fdbd553e5bcdbbe98c10d10928a.tar.gz
2 files changed, 15 insertions, 3 deletions
diff --git a/NEWS b/NEWS
index d69ca63874..596c970821 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,13 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 7.2.34
 
+- Core:
+  . Fixed bug ##79699 (PHP parses encoded cookie names so malicious `__Host-` 
+    cookies can be sent). (CVE-2020-7070) (Stas)
+
+- OpenSSL:
+  . Fixed bug ##79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 
+    bytes IV). (CVE-2020-7069) (Jakub Zelenka)
 
 06 Aug 2020, PHP 7.2.33
 
diff --git a/UPGRADING b/UPGRADING
index 52968a3857..c40fa8973e 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -52,11 +52,16 @@ PHP 7.2 UPGRADE NOTES
   . The hash_hmac(), hash_hmac_file(), hash_pbkdf2() and hash_init() (with
     HASH_HMAC) functions no longer accept non-cryptographic hashes.
 
-- JSON
+- JSON:
   . The json_decode() option JSON_OBJECT_AS_ARRAY is used if the second
     parameter (assoc) is null. Previously JSON_OBJECT_AS_ARRAY was always
     ignored.
 
+- SAPI:
+  . Starting with 7.2.34, incoming cookie names are not url-decoded. This was never 
+    required by the standard, outgoing cookie names aren't encoded and this leads 
+    to security issues (CVE-2020-7070).
+
 - Session:
   . Removed register_globals related code and "!" can be used as $_SESSION key name.
   . Session is made to manage session status correctly and prevents invalid operations.
@@ -69,7 +74,7 @@ PHP 7.2 UPGRADE NOTES
         session_unset(), session_write_close()/session_commit(), session_abort(),
         session_reset()
     . Functions prohibit invalid operations with regard to session status and
-      HTTP header status, returns correct bool return value.
+      HTTP header status, return correct bool return value.
         session_start(), session_set_cookie_params(), session_name(), session_module_name(),
         session_set_save_handler(), session_regenerate_id(), session_cache_limiter(),
         session_cache_expire(), session_unset(), session_destroy(),
@@ -88,7 +93,7 @@ PHP 7.2 UPGRADE NOTES
         session_start()
     . When headers are already sent and try to set new INI values, session_name(),
       session_module_name(), session_save_path(), session_cache_limiter() and
-      session_cache_expire() are no longer works. Older PHPs accepts new values even
+      session_cache_expire() no longer work. Older PHPs accept new values even
       if new values will not be effective.
       This new corrected behavior may affect command line mode CLI scripts that manage
       sessions. Use output buffer just like web applications to resolve problems on
author	Stanislav Malyshev <stas@php.net>	2020-09-28 21:34:52 -0700
committer	Stanislav Malyshev <stas@php.net>	2020-09-28 21:38:43 -0700
commit	7bc112a142720fdbd553e5bcdbbe98c10d10928a (patch)
tree	84199f3e33d1eb2401d38b7248b76b266bd1d5e0
parent	6559fe912661ca5ce5f0eeeb591d928451428ed0 (diff)
download	php-git-7bc112a142720fdbd553e5bcdbbe98c10d10928a.tar.gz