Package "libphp7.4-embed"
| Name: |
libphp7.4-embed
|
Description: |
HTML-embedded scripting language (Embedded SAPI library)
|
| Latest version: |
7.4.3-4ubuntu2.28 |
| Release: |
focal (20.04) |
| Level: |
security |
| Repository: |
universe |
| Head package: |
php7.4 |
| Homepage: |
http://www.php.net/ |
Links
Download "libphp7.4-embed"
Other versions of "libphp7.4-embed" in Focal
Changelog
|
php7.4 (7.4.3-4ubuntu2.28) focal-security; urgency=medium
* SECURITY REGRESSION: Previous update caused a regression
- debian/patches/CVE-2024-8932.patch: removing RETURN_THROWS
symbol that was causing a regression in prev update.
- CVE-2024-8932
-- Leonidas Da Silva Barbosa <email address hidden> Fri, 13 Dec 2024 10:46:46 -0300
|
| Source diff to previous version |
| CVE-2024-8932 |
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit sy |
|
|
php7.4 (7.4.3-4ubuntu2.26) focal-security; urgency=medium
* SECURITY UPDATE: Buffer over read
- debian/patches/CVE-2024-11233.patch: re arrange
bound check code in ext/standard/filters.c,
ext/standard/tests/filters/ghsa-r977-prxv-hc43.phpt.
- CVE-2024-11233
* SECURITY UPDATE: HTTP request smuggling
- debian/patches/CVE-2024-11234.patch: avoiding
fulluri CRLF injection in ext/standard/http_fopen_wrapper.c.
.../tests/http/ghsa-c5f2-jwm7-mmq2.phpt.
- CVE-2024-11234
* SECURITY UPDATE: Integer overflow
- debian/patches/CVE-2024-11236-1.patch: adding an extralen check
to avoid integer overflow in ext/pdo_dblib/dblib_driver.c,
ext/pdo_dblib/tests/GHSA-5hqh-c84r-qjcv.phpt.
- debian/patches/CVE-2024-11236-2.patch: change qcount to size_t in
order to avoid integer overflow and adding checks in
ext/pdo_firebird/firebird_driver.c.
- CVE-2024-11236
* SECURITY UPDATE: Heap buffer over-reads
- debian/patches/CVE-2024-8929.patch: fix buffer over-reads in
ext/mysqlnd/mysqlnd_ps_codec.c,
ext/mysqlnd/mysqlnd_wireprotocol.c, and create some phpt tests.
- CVE-2024-8929
* SECURITY UPDATE: Integer overflow
- debian/patches/CVE-2024-8932.patch: fix OOB in access in
ldap_escape in ext/ldap/ldap.c,
ext/ldap/tests/GHSA-g665-fm4p-vhff-1.phpt,
ext/ldap/tests/GHSA-g665-fm4p-vhff-2.phpt.
- CVE-2024-8932
-- Leonidas Da Silva Barbosa <email address hidden> Wed, 04 Dec 2024 13:05:49 -0300
|
| Source diff to previous version |
| CVE-2024-11233 |
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, due to an error in convert.quoted-printable-decode filter certain data |
| CVE-2024-11234 |
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, when using streams with configured proxy and "request_fulluri" option, |
| CVE-2024-11236 |
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit sy |
| CVE-2024-8929 |
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, a hostile MySQL server can cause the client to disclose the content of |
| CVE-2024-8932 |
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit sy |
|
|
php7.4 (7.4.3-4ubuntu2.24) focal-security; urgency=medium
* SECURITY UPDATE: Erroneous parsing of multipart form data
- debian/patches/CVE-2024-8925.patch: limit bounday size in
main/rfc1867.c, tests/basic/*.
- CVE-2024-8925
* SECURITY UPDATE: cgi.force_redirect configuration can be bypassed due
to environment variable collision
- debian/patches/CVE-2024-8927.patch: check for REDIRECT_STATUS in
sapi/cgi/cgi_main.c.
- CVE-2024-8927
-- Marc Deslauriers <email address hidden> Mon, 30 Sep 2024 14:16:20 -0400
|
| Source diff to previous version |
| CVE-2024-8925 |
Erroneous parsing of multipart form data |
| CVE-2024-8927 |
cgi.force_redirect configuration is byppassible due to the environment variable collision |
|
|
php7.4 (7.4.3-4ubuntu2.23) focal-security; urgency=medium
* SECURITY UPDATE: Invalid user information
- debian/patches/CVE-2024-5458.patch: improves filters validation
in ext/filter/logical_filters.c and adds test
in ext/filter/tests/ghsa-w8qr-v226-r27w.phpt.
- CVE-2024-5458
-- Leonidas Da Silva Barbosa <email address hidden> Mon, 17 Jun 2024 10:22:20 -0300
|
| Source diff to previous version |
| CVE-2024-5458 |
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when |
|
|
php7.4 (7.4.3-4ubuntu2.22) focal-security; urgency=medium
* SECURITY UPDATE: Heap buffer-overflow
- debian/patches/CVE-2022-4900.patch: prevent potential buffer
overflow for large valye of php_cli_server_workers_max in
sapi/cli/php_cli_server.c.
- CVE-2022-4900
* SECURITY UPDATE: Cookie by pass
- debian/patches/CVE-2024-2756.patch: adds more mangling rules
in main/php_variable.c.
- CVE-2024-2756
* SECURITY UPDATE: Account take over risk
- debian/patches/CVE-2024-3096.patch: disallow null character in bcrypt
password in ext/standard/password.c,
ext/standard/tests/password_bcrypt_errors.phpt.
- CVE-2024-3096
-- Leonidas Da Silva Barbosa <email address hidden> Wed, 01 May 2024 07:11:33 -0300
|
| CVE-2022-4900 |
A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow. |
| CVE-2024-2756 |
Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and same-site attackers can set a standard in |
| CVE-2024-3096 |
In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00 |
|
About
-
Send Feedback to @ubuntu_updates
