UbuntuUpdates.org

Package "php8.1"

Name: php8.1

Description:

server-side, HTML-embedded scripting language (metapackage)
Latest version: 8.1.2-1ubuntu2.19
Release: jammy (22.04)
Level: updates
Repository: main
Homepage: http://www.php.net/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "php8.1"

All arch deb package
APT INSTALL

Other versions of "php8.1" in Jammy

Repository Area Version
base universe 8.1.2-1ubuntu2
base main 8.1.2-1ubuntu2
security main 8.1.2-1ubuntu2.19
security universe 8.1.2-1ubuntu2.19
updates universe 8.1.2-1ubuntu2.19

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 8.1.2-1ubuntu2.19 2024-10-01 17:07:07 UTC

  php8.1 (8.1.2-1ubuntu2.19) jammy-security; urgency=medium

  * SECURITY UPDATE: Erroneous parsing of multipart form data
    - debian/patches/CVE-2024-8925.patch: limit bounday size in
      main/rfc1867.c, tests/basic/*.
    - CVE-2024-8925
  * SECURITY UPDATE: cgi.force_redirect configuration can be bypassed due
    to environment variable collision
    - debian/patches/CVE-2024-8927.patch: check for REDIRECT_STATUS in
      sapi/cgi/cgi_main.c.
    - CVE-2024-8927
  * SECURITY UPDATE: Logs from childrens may be altered
    - debian/patches/CVE-2024-9026.patch: properly calculate size in
      sapi/fpm/fpm/fpm_stdio.c, sapi/fpm/tests/*.
    - CVE-2024-9026

 -- Marc Deslauriers <email address hidden> Mon, 30 Sep 2024 12:25:25 -0400
Source diff to previous version
CVE-2024-8925 Erroneous parsing of multipart form data
CVE-2024-8927 cgi.force_redirect configuration is byppassible due to the environment variable collision
CVE-2024-9026 Logs from childrens may be altered

Version: 8.1.2-1ubuntu2.18 2024-06-19 14:07:16 UTC

  php8.1 (8.1.2-1ubuntu2.18) jammy-security; urgency=medium

  * SECURITY UPDATE: Invalid user information
    - debian/patches/CVE-2024-5458.patch: improves filters validation
      in ext/filter/logical_filters.c and adds test
      in ext/filter/tests/ghsa-w8qr-v226-r27w.phpt.
    - CVE-2024-5458

 -- Leonidas Da Silva Barbosa <email address hidden> Fri, 14 Jun 2024 12:52:55 -0300
Source diff to previous version
CVE-2024-5458 In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when

Version: 8.1.2-1ubuntu2.17 2024-05-03 04:07:00 UTC

  php8.1 (8.1.2-1ubuntu2.17) jammy-security; urgency=medium

  * SECURITY UPDATE: Heap buffer-overflow
    - debian/patches/CVE-2022-4900.patch: prevent potential buffer
      overflow for large valye of php_cli_server_workers_max in
      sapi/cli/php_cli_server.c.
    - CVE-2022-4900
  * SECURITY UPDATE: Cookie by pass
    - debian/patches/CVE-2024-2756.patch: adds more mangling rules
      in main/php_variable.c.
    - CVE-2024-2756
  * SECURITY UPDATE: Account take over risk
    - debian/patches/CVE-2024-3096.patch: disallow null character in bcrypt
      password in ext/standard/password.c,
      ext/standard/tests/password_bcrypt_errors.phpt.
    - CVE-2024-3096

 -- Leonidas Da Silva Barbosa <email address hidden> Wed, 01 May 2024 07:10:07 -0300
Source diff to previous version
CVE-2022-4900 A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow.
CVE-2024-2756 Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and same-site attackers can set a standard in
CVE-2024-3096 In PHP  version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00

Version: 8.1.2-1ubuntu2.15 2024-04-11 20:06:59 UTC

  php8.1 (8.1.2-1ubuntu2.15) jammy; urgency=medium

  * d/p/fix-attribute-instantion-dangling-pointer.patch: Fix sigsegv from
    dangling pointer on attribute observer. (LP: #2054621)
  * d/p/fix-attribute-instantion-memory-overflow-recovery.patch: Fix sigsegv
    during memory overflow recovery on attribute observer.

 -- Brian Morton <email address hidden> Fri, 23 Feb 2024 12:26:53 -0500
Source diff to previous version
2054621 Fix PHP crashes due to accessing dangling pointers

Version: 8.1.2-1ubuntu2.14 2023-08-23 20:07:01 UTC

  php8.1 (8.1.2-1ubuntu2.14) jammy-security; urgency=medium

  * SECURITY UPDATE: Disclosure sensitive information
    - debian/patches/CVE-2023-3823.patch: sanitieze libxml2 globals
      before parsing in ext/dom/document.c, ext/dom/documentfragment.c,
      xml_global_state_entity_loader_bypass.phpt, ext/libxml/php_libxml.h,
      ext/simplexml/simplexml.c, xml_global_state_entity_loader_bypass.phpt,
      ext/soap/php_xml.c, ext/xml/compat.c, ext/xmlreader/php_xmlreader.c,
      xml_global_state_entity_loader_bypass.phpt, ext/xsl/xsltprocessor.c,
      ext/zend_test/test.c, ext/zend_test/test.stub.php.
    - CVE-2023-3823
  * SECURITY UPDATE: Stack buffer overflow
    - debian/patches/CVE-2023-3824.patch: fix buffer mismanagement in
      phar_dir_read(), and in files ext/phar/dirstream.c,
      ext/phar/tests/GHSA-jqcx-ccgx-xwhv.phpt.
    - CVE-2023-3824

 -- Leonidas Da Silva Barbosa <email address hidden> Fri, 18 Aug 2023 08:41:11 -0300


About   -   Send Feedback to @ubuntu_updates