CVE-2019-11045

Name	CVE-2019-11045
Description	In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-2050-1, DSA-4626-1, DSA-4628-1

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
php5	source	jessie	5.6.40+dfsg-0+deb8u8	DLA-2050-1
php5	source	(unstable)	(unfixed)
php7.0	source	stretch	7.0.33-0+deb9u7	DSA-4628-1
php7.0	source	(unstable)	(unfixed)
php7.3	source	buster	7.3.14-1~deb10u1	DSA-4626-1
php7.3	source	(unstable)	7.3.15-1

Notes

Fixed in PHP 7.4.1, 7.3.13
PHP Bug: https://bugs.php.net/78863
https://git.php.net/?p=php-src.git;a=patch;h=d74907b8575e6edb83b728c2a94df434c23e1f79