Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 908259

Summary: <dev-lang/php-{8.0.29,8.1.20,8.2.7}: insufficient random bytes in HTTP Digest authentication for SOAP
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: mjo, php-bugs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 908792    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-06-10 18:49:28 UTC
Looks like there's a fix in 8.1.20 and 8.2.7:

https://www.php.net/ChangeLog-8.php#8.1.20
https://www.php.net/ChangeLog-8.php#8.2.7
Comment 1 Larry the Git Cow gentoo-dev 2023-06-12 19:36:49 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1006bc844050fd8d412e954fdadee36bcccca0f1

commit 1006bc844050fd8d412e954fdadee36bcccca0f1
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2023-06-12 19:07:53 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2023-06-12 19:32:37 +0000

    dev-lang/php: add 8.2.7, drop 8.2.5-r1
    
    Bug: https://bugs.gentoo.org/908259
    Signed-off-by: Michael Orlitzky <mjo@gentoo.org>

 dev-lang/php/Manifest                                  | 2 +-
 dev-lang/php/{php-8.2.5-r1.ebuild => php-8.2.7.ebuild} | 0
 2 files changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bc7e9aec4e92a55b99b932dbf5a084240074eef9

commit bc7e9aec4e92a55b99b932dbf5a084240074eef9
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2023-06-12 19:07:29 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2023-06-12 19:32:34 +0000

    dev-lang/php: add 8.1.20, drop 8.1.18-r1
    
    Bug: https://bugs.gentoo.org/908259
    Signed-off-by: Michael Orlitzky <mjo@gentoo.org>

 dev-lang/php/Manifest                                    | 2 +-
 dev-lang/php/{php-8.1.18-r1.ebuild => php-8.1.20.ebuild} | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-06-17 22:45:40 UTC
Thanks, please stable when ready.
Comment 3 Michael Orlitzky gentoo-dev 2023-06-18 13:28:16 UTC
We missed one, fix incoming: https://www.php.net/ChangeLog-8.php#8.0.29
Comment 4 Larry the Git Cow gentoo-dev 2023-06-18 14:14:39 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eef0359bf0335b935c19d8ba80a77ec6c05938be

commit eef0359bf0335b935c19d8ba80a77ec6c05938be
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2023-06-18 13:07:09 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2023-06-18 14:11:34 +0000

    dev-lang/php: add missing virtual/libcrypt:= dependencies, bump 8.0.29.
    
    Bug: https://bugs.gentoo.org/908259
    Closes: https://bugs.gentoo.org/908674
    Signed-off-by: Michael Orlitzky <mjo@gentoo.org>

 dev-lang/php/Manifest                              |   1 +
 dev-lang/php/php-7.4.33-r3.ebuild                  | 751 ++++++++++++++++++++
 dev-lang/php/php-8.0.29.ebuild                     | 757 +++++++++++++++++++++
 .../{php-8.1.20.ebuild => php-8.1.20-r1.ebuild}    |   6 +-
 .../php/{php-8.2.7.ebuild => php-8.2.7-r1.ebuild}  |   7 +-
 5 files changed, 1513 insertions(+), 9 deletions(-)
Comment 5 Larry the Git Cow gentoo-dev 2024-08-12 07:43:46 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=30ce731e4321742de9b62d58a1f60dbe0cb57e0d

commit 30ce731e4321742de9b62d58a1f60dbe0cb57e0d
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-08-12 07:39:21 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-08-12 07:43:34 +0000

    [ GLSA 202408-32 ] PHP: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/889882
    Bug: https://bugs.gentoo.org/895416
    Bug: https://bugs.gentoo.org/908259
    Bug: https://bugs.gentoo.org/912331
    Bug: https://bugs.gentoo.org/929929
    Bug: https://bugs.gentoo.org/933752
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202408-32.xml | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 71 insertions(+)