UbuntuUpdates.org

Package "php7.4"

Name: php7.4

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • HTML-embedded scripting language (Embedded SAPI library)
  • Bcmath module for PHP
  • bzip2 module for PHP
  • DBA module for PHP

Latest version: 7.4.3-4ubuntu2.24
Release: focal (20.04)
Level: security
Repository: universe

Links



Other versions of "php7.4" in Focal

Repository Area Version
base universe 7.4.3-4ubuntu1
base main 7.4.3-4ubuntu1
security main 7.4.3-4ubuntu2.24
updates universe 7.4.3-4ubuntu2.24
updates main 7.4.3-4ubuntu2.24

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 7.4.3-4ubuntu2.24 2024-10-02 01:07:24 UTC

  php7.4 (7.4.3-4ubuntu2.24) focal-security; urgency=medium

  * SECURITY UPDATE: Erroneous parsing of multipart form data
    - debian/patches/CVE-2024-8925.patch: limit bounday size in
      main/rfc1867.c, tests/basic/*.
    - CVE-2024-8925
  * SECURITY UPDATE: cgi.force_redirect configuration can be bypassed due
    to environment variable collision
    - debian/patches/CVE-2024-8927.patch: check for REDIRECT_STATUS in
      sapi/cgi/cgi_main.c.
    - CVE-2024-8927

 -- Marc Deslauriers <email address hidden> Mon, 30 Sep 2024 14:16:20 -0400

Source diff to previous version
CVE-2024-8925 Erroneous parsing of multipart form data
CVE-2024-8927 cgi.force_redirect configuration is byppassible due to the environment variable collision

Version: 7.4.3-4ubuntu2.23 2024-06-19 13:07:08 UTC

  php7.4 (7.4.3-4ubuntu2.23) focal-security; urgency=medium

  * SECURITY UPDATE: Invalid user information
    - debian/patches/CVE-2024-5458.patch: improves filters validation
      in ext/filter/logical_filters.c and adds test
      in ext/filter/tests/ghsa-w8qr-v226-r27w.phpt.
    - CVE-2024-5458

 -- Leonidas Da Silva Barbosa <email address hidden> Mon, 17 Jun 2024 10:22:20 -0300

Source diff to previous version
CVE-2024-5458 In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when

Version: 7.4.3-4ubuntu2.22 2024-05-02 18:07:35 UTC

  php7.4 (7.4.3-4ubuntu2.22) focal-security; urgency=medium

  * SECURITY UPDATE: Heap buffer-overflow
    - debian/patches/CVE-2022-4900.patch: prevent potential buffer
      overflow for large valye of php_cli_server_workers_max in
      sapi/cli/php_cli_server.c.
    - CVE-2022-4900
  * SECURITY UPDATE: Cookie by pass
    - debian/patches/CVE-2024-2756.patch: adds more mangling rules
      in main/php_variable.c.
    - CVE-2024-2756
  * SECURITY UPDATE: Account take over risk
    - debian/patches/CVE-2024-3096.patch: disallow null character in bcrypt
      password in ext/standard/password.c,
      ext/standard/tests/password_bcrypt_errors.phpt.
    - CVE-2024-3096

 -- Leonidas Da Silva Barbosa <email address hidden> Wed, 01 May 2024 07:11:33 -0300

Source diff to previous version
CVE-2022-4900 A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow.
CVE-2024-2756 Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and same-site attackers can set a standard in
CVE-2024-3096 In PHP  version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00

Version: 7.4.3-4ubuntu2.20 2024-02-27 12:07:05 UTC

  php7.4 (7.4.3-4ubuntu2.20) focal-security; urgency=medium

  * SECURITY UPDATE: Disclosure sensitive information
    - debian/patches/CVE-2023-3823.patch: sanitieze libxml2 globals
      before parsing in ext/dom/document.c, ext/dom/documentfragment.c,
      xml_global_state_entity_loader_bypass.phpt, ext/libxml/php_libxml.h,
      ext/simplexml/simplexml.c, xml_global_state_entity_loader_bypass.phpt,
      ext/soap/php_xml.c, ext/xml/compat.c, ext/xmlreader/php_xmlreader.c,
      xml_global_state_entity_loader_bypass.phpt, ext/xsl/xsltprocessor.c,
      ext/zend_test/test.c.
    - CVE-2023-3823
  * SECURITY UPDATE: Stack buffer overflow
    - debian/patches/CVE-2023-3824.patch: fix buffer mismanagement in
      phar_dir_read(), and in files ext/phar/dirstream.c,
      ext/phar/tests/GHSA-jqcx-ccgx-xwhv.phpt.
    - CVE-2023-3824

 -- Leonidas Da Silva Barbosa <email address hidden> Wed, 21 Feb 2024 10:54:34 -0300

Source diff to previous version
CVE-2023-3823 In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configura
CVE-2023-3824 In PHP version 8.0.* before 8.0.30,  8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insuf

Version: 7.4.3-4ubuntu2.19 2023-07-03 17:07:07 UTC

  php7.4 (7.4.3-4ubuntu2.19) focal-security; urgency=medium

  * SECURITY UPDATE: Missing error check and insufficient random
    bytes
    - debian/patches/CVE-2023-3247-1.patch: fixes missing randomness
      check and insufficient random byes for SOAP HTTP digest
      in ext/soap/php_http.c.
    - debian/patches/CVE-2023-3247-2.patch: fix wrong backporting of previous
      soap patch.
    - CVE-2023-3247

 -- Leonidas Da Silva Barbosa <email address hidden> Tue, 27 Jun 2023 12:49:59 -0300

CVE-2023-3247 GHSA-76gg-c692-v2mw: Missing error check and insufficient random bytes in HTTP Digest authentication for SOAP



About   -   Send Feedback to @ubuntu_updates