Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 867913

Summary: <dev-lang/php-{8.0.23,8.1.10}: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: mjo, php-bugs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://news-web.php.net/php.announce/335
Whiteboard: B3 [glsa+]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-01 19:04:19 UTC 
URL says 8.0.23 is a security release, but no CVEs in
changelog. There are a few crashes and such, but I'm not sure I
understand how they're security-relevant when PHP code executed is
generally trusted.

8.1.10 was also released today and that's not labeled as a security
bump, despite seemingly fixing some of the same issues. Please bump to
8.0.23.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-26 14:17:01 UTC 
Please stabilize.

commit a07b974ba46558e71c4d89286c6a6c4fb023b1b8
Author: Brian Evans <grknight@gentoo.org>
Date:   Sat Sep 10 20:56:39 2022 -0400

    dev-lang/php: Version bump for 8.0.23

    Signed-off-by: Brian Evans <grknight@gentoo.org>

commit 5994eccf962086fb2d6b323ae88f04dacf797e89
Author: Brian Evans <grknight@gentoo.org>
Date:   Sat Sep 10 20:10:59 2022 -0400

    dev-lang/php: Version bump for 8.1.10

    Signed-off-by: Brian Evans <grknight@gentoo.org>
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-26 14:23:53 UTC 
GLSA request filed
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-30 14:02:49 UTC 
(In reply to John Helmert III from comment #2)
> GLSA request filed

Whoops, didn't add actually add this bug to the GLSA properly. I suppose we'll throw it in the next one.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-21 19:17:49 UTC 
GLSA request filed
Comment 5 Larry the Git Cow gentoo-dev 2022-11-22 04:01:20 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=a1c6623b6eaf15e917c58aa4f27b51911625e28f

commit a1c6623b6eaf15e917c58aa4f27b51911625e28f
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-11-19 03:32:18 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-11-22 03:59:39 +0000

    [ GLSA 202211-03 ] PHP: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/867913
    Bug: https://bugs.gentoo.org/873376
    Bug: https://bugs.gentoo.org/877853
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202211-03.xml | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 65 insertions(+)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-22 04:03:41 UTC 
GLSA released, all done!