| Summary: | <dev-lang/php-{7.4.33-r2,8.0.28,8.1.16,8.2.3}: multiple vulnerabilities | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | rx80 <rokfaith> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | IN_PROGRESS --- | ||
| Severity: | normal | CC: | ajak, mjo, php-bugs, security |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://www.php.net/ChangeLog-8.php#8.2.3 | ||
| Whiteboard: | B3 [stable] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 895624 | ||
| Bug Blocks: | |||
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c8a5c3e91728ad636d1e36b7b793d3b7688ca45b commit c8a5c3e91728ad636d1e36b7b793d3b7688ca45b Author: Brian Evans <grknight@gentoo.org> AuthorDate: 2023-02-20 19:41:08 +0000 Commit: Brian Evans <grknight@gentoo.org> CommitDate: 2023-02-20 19:43:14 +0000 dev-lang/php: Version bump for 8.2.3 Bug: https://bugs.gentoo.org/895416 Signed-off-by: Brian Evans <grknight@gentoo.org> dev-lang/php/Manifest | 1 + dev-lang/php/php-8.2.3.ebuild | 759 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 760 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6cb938cd4f61ab78f72abb7c421e03d6d57499e9 commit 6cb938cd4f61ab78f72abb7c421e03d6d57499e9 Author: Brian Evans <grknight@gentoo.org> AuthorDate: 2023-02-20 18:48:48 +0000 Commit: Brian Evans <grknight@gentoo.org> CommitDate: 2023-02-20 19:43:14 +0000 dev-lang/php: Version bump for 8.1.16 Bug: https://bugs.gentoo.org/895416 Signed-off-by: Brian Evans <grknight@gentoo.org> dev-lang/php/Manifest | 1 + dev-lang/php/php-8.1.16.ebuild | 757 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 758 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5fe23c565f19e1b0af60f3081854aab95f94c903 commit 5fe23c565f19e1b0af60f3081854aab95f94c903 Author: Brian Evans <grknight@gentoo.org> AuthorDate: 2023-02-20 18:27:49 +0000 Commit: Brian Evans <grknight@gentoo.org> CommitDate: 2023-02-20 19:43:13 +0000 dev-lang/php: Version bump for 8.0.28 Bug: https://bugs.gentoo.org/895416 Signed-off-by: Brian Evans <grknight@gentoo.org> dev-lang/php/Manifest | 1 + dev-lang/php/php-8.0.28.ebuild | 759 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 760 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b711589df12322ac7ca3cbe4e5889a623dc81a96 commit b711589df12322ac7ca3cbe4e5889a623dc81a96 Author: Brian Evans <grknight@gentoo.org> AuthorDate: 2023-02-20 18:07:03 +0000 Commit: Brian Evans <grknight@gentoo.org> CommitDate: 2023-02-20 19:43:13 +0000 dev-lang/php: Revbump for backporting CVE patches to 7.4 Bug: https://bugs.gentoo.org/895416 Signed-off-by: Brian Evans <grknight@gentoo.org> dev-lang/php/files/php-7.4.33-CVE-2023-0567.patch | 114 ++++ dev-lang/php/files/php-7.4.33-CVE-2023-0568.patch | 37 ++ dev-lang/php/files/php-7.4.33-CVE-2023-0662.patch | 48 ++ dev-lang/php/php-7.4.33-r2.ebuild | 753 ++++++++++++++++++++++ 4 files changed, 952 insertions(+) Thank you for your quick update. 8.2.3 tested on two amd64 machines, in cli and fpm mode, installs and works as expected. Thanks! |
From changelog for 8.2.3, 8.1.16, 8.0.28 Core: Fixed bug #81744 (Password_verify() always return true with some hash). (CVE-2023-0567) Fixed bug #81746 (1-byte array overrun in common path resolve code). (CVE-2023-0568) SAPI: Fixed bug GHSA-54hq-v5wp-fqgv (DOS vulnerability when parsing multipart request body). (CVE-2023-0662)