There's a possible privilege escalation bug in PHP, CVE-2021-21703. This sounds quite severe and according to the upstream bug the guy who found it has a reliable exploit and may soon publish it. It also sounds from the communication from the PHP devs that this may not get a fix for the 7.3 version. It's probably possible to backport a patch, but given PHP 7.3 security support officially ends in less than 2 months (and as this vuln shows inofficially already ended), maybe early deprecation of PHP 7.3 is the way to go here. This is fixed in 7.4.25 (not in portage yet) and 8.0.12 (already in portage, needs to be stabilized).
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=59978b5ae90bdad9d705ece171cd0d92e676e913 commit 59978b5ae90bdad9d705ece171cd0d92e676e913 Author: Brian Evans <grknight@gentoo.org> AuthorDate: 2021-10-22 16:57:17 +0000 Commit: Brian Evans <grknight@gentoo.org> CommitDate: 2021-10-22 16:57:17 +0000 dev-lang/php: Version bump for 7.4.25 Bug: https://bugs.gentoo.org/819510 Signed-off-by: Brian Evans <grknight@gentoo.org> dev-lang/php/Manifest | 1 + dev-lang/php/php-7.4.25.ebuild | 745 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 746 insertions(+)
Please file a stablereq when ready.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6fb720cfe0c62387092106e1ec5c494ad82cc07f commit 6fb720cfe0c62387092106e1ec5c494ad82cc07f Author: Brian Evans <grknight@gentoo.org> AuthorDate: 2021-10-25 14:41:47 +0000 Commit: Brian Evans <grknight@gentoo.org> CommitDate: 2021-10-25 14:41:47 +0000 dev-lang/php: Revbump 7.3.31 for CVE-2021-21703 security patch Bug: https://bugs.gentoo.org/819510 Signed-off-by: Brian Evans <grknight@gentoo.org> dev-lang/php/files/php73-CVE2021-21703.patch | 397 ++++++++++++++ dev-lang/php/php-7.3.31-r1.ebuild | 754 +++++++++++++++++++++++++++ 2 files changed, 1151 insertions(+)
Please cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=73896251628db98d15c64aa65aac004c24b0e38a commit 73896251628db98d15c64aa65aac004c24b0e38a Author: Brian Evans <grknight@gentoo.org> AuthorDate: 2021-11-07 13:03:02 +0000 Commit: Brian Evans <grknight@gentoo.org> CommitDate: 2021-11-07 13:03:02 +0000 dev-lang/php: Clean up vunlernable versions Bug: https://bugs.gentoo.org/819510 Signed-off-by: Brian Evans <grknight@gentoo.org> dev-lang/php/Manifest | 4 - dev-lang/php/php-7.3.31-r1.ebuild | 754 ------------------------------------- dev-lang/php/php-7.3.31.ebuild | 758 -------------------------------------- dev-lang/php/php-7.4.24.ebuild | 750 ------------------------------------- dev-lang/php/php-8.0.11.ebuild | 749 ------------------------------------- dev-lang/php/php-8.1.0_rc2.ebuild | 749 ------------------------------------- 6 files changed, 3764 deletions(-)
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=4447c90f117a8f0928cc5e880f3cfc9fde7ee918 commit 4447c90f117a8f0928cc5e880f3cfc9fde7ee918 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-09-29 14:23:13 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-09-29 14:48:00 +0000 [ GLSA 202209-20 ] PHP: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/799776 Bug: https://bugs.gentoo.org/810526 Bug: https://bugs.gentoo.org/819510 Bug: https://bugs.gentoo.org/833585 Bug: https://bugs.gentoo.org/850772 Bug: https://bugs.gentoo.org/857054 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202209-20.xml | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+)
GLSA released, all done!
