Package "php7.4"
Name: |
php7.4
|
Description: |
server-side, HTML-embedded scripting language (metapackage)
|
Latest version: |
7.4.3-4ubuntu2.24 |
Release: |
focal (20.04) |
Level: |
updates |
Repository: |
main |
Homepage: |
http://www.php.net/ |
Links
Download "php7.4"
Other versions of "php7.4" in Focal
Packages in group
Deleted packages are displayed in grey.
Changelog
php7.4 (7.4.3-4ubuntu2.18) focal-security; urgency=medium
* SECURITY UPDATE: password_verify() accepts invalid Blowfish hashes
- debian/patches/CVE-2023-0567-1.patch: fix validation of malformed
BCrypt hashes in ext/standard/crypt_blowfish.c,
ext/standard/tests/crypt/bcrypt_salt_dollar.phpt.
- debian/patches/CVE-2023-0567-2.patch: fix possible buffer overread in
php_crypt() in ext/standard/crypt.c,
ext/standard/tests/password/password_bcrypt_short.phpt.
- CVE-2023-0567
* SECURITY UPDATE: off-by-one in core path resolution function
- debian/patches/CVE-2023-0568.patch: fix array overrun when appending
slash to paths in ext/dom/document.c, ext/xmlreader/php_xmlreader.c,
main/fopen_wrappers.c.
- CVE-2023-0568
* SECURITY UPDATE: DoS via excessive number of parts in HTTP form upload
- debian/patches/CVE-2023-0662-1.patch: introduce
max_multipart_body_parts INI in main/main.c, main/rfc1867.c.
- debian/patches/CVE-2023-0662-2.patch: fix repeated warning for file
uploads limit exceeding in main/rfc1867.c.
- CVE-2023-0662
-- Marc Deslauriers <email address hidden> Thu, 23 Feb 2023 07:43:23 -0500
|
Source diff to previous version |
CVE-2023-0567 |
In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3 ... |
CVE-2023-0568 |
In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, core path resolution function allocate buffer one byte too small. When resolv |
CVE-2023-0662 |
In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, excessive number of parts in HTTP form upload can cause high resource consump |
|
php7.4 (7.4.3-4ubuntu2.17) focal-security; urgency=medium
* SECURITY UPDATE: Integer overflow
- debian/patches/CVE-2022-31631.patch: fix check
unquotedlen size in ext/pdo_sqlite/sqlite_driver.c.
- CVE-2022-31631
-- Leonidas Da Silva Barbosa <email address hidden> Tue, 10 Jan 2023 12:37:44 -0300
|
Source diff to previous version |
php7.4 (7.4.3-4ubuntu2.16) focal; urgency=medium
[ Athos Ribeiro ]
* d/rules: fix PHP_EXTRA_VERSION setting. (LP: #1989196)
* Test PHP_EXTRA_VERSION setting with autopkgtest.
[ Matthew Ruffell ]
* No longer throw an error when serializing uninitialized typed
properties with __sleep(), which makes serializing objects with
__sleep() behave the same as serializing objects without
__sleep(). (LP: #1999598)
- d/p/lp-1999598-Fix-bug-79447.patch
-- Athos Ribeiro <email address hidden> Thu, 15 Sep 2022 19:53:21 -0300
|
Source diff to previous version |
1989196 |
Fix PHP_EXTRA_VERSION setting |
1999598 |
Don't throw an error when serializing uninitialized typed properties with __sleep() |
|
php7.4 (7.4.3-4ubuntu2.15) focal-security; urgency=medium
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2022-31628-1.patch: adding a recursion limit
in ext/phar/phar.c, ext/phar/tests/bug81726.phpt.
- debian/source/include-binaries: add ext/phar/tests/bug81726.gz.
- debian/patches/CVE-2022-31628-2.patch: avoid a second check in
ext/phar/phar.c.
- CVE-2022-31628
* SECURITY UPDATE: Cookie injection
- debian/patches/CVE-2022-31629.patch: don't mangle HTTP
variable names that clash with ones that have a specific semantic
meaning in ext/standard/test/bug81727.phpt,
main/php_variables.c.
- CVE-2022-31629
* SECURITY UPDATE: Out of bounds read
- debian/patches/CVE-2022-31630.patch: adds validation in
imageloadfont() for OOB in ext/gd/gd.c, ext/gd/tests/bug81739.phpt.
- CVE-2022-31630
* SECURITY UPDATE: Buffer overflow
- debian/patches/CVE-2022-37454.patch: fixes buffer overflow in
hash_update() on long parameter in
ext/hash/sha3/generic32lc/KeccakSponge.inc,
ext/hash/sha3/generic64lc/KeccakSponge.inc.
- CVE-2022-37454
-- Leonidas Da Silva Barbosa <email address hidden> Wed, 02 Nov 2022 06:53:44 -0300
|
Source diff to previous version |
CVE-2022-31628 |
In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infini |
CVE-2022-31629 |
In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a standard insecure cookie in the |
CVE-2022-37454 |
The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute |
|
php7.4 (7.4.3-4ubuntu2.13) focal; urgency=medium
* d/p/0047-Update-gcc-func-attr-macro.patch: fix detection of unknown gcc
function attributes. (LP: #1882279)
-- Athos Ribeiro <email address hidden> Wed, 17 Aug 2022 10:29:56 -0300
|
1882279 |
PHP built from source performs much better than the Ubuntu packaged version |
|
About
-
Send Feedback to @ubuntu_updates