UbuntuUpdates.org

Package "libphp8.1-embed"

Name: libphp8.1-embed

Description:

HTML-embedded scripting language (Embedded SAPI library)

Latest version: 8.1.2-1ubuntu2.19
Release: jammy (22.04)
Level: updates
Repository: universe
Head package: php8.1
Homepage: http://www.php.net/

Links


Download "libphp8.1-embed"


Other versions of "libphp8.1-embed" in Jammy

Repository Area Version
base universe 8.1.2-1ubuntu2
security universe 8.1.2-1ubuntu2.19

Changelog

Version: 8.1.2-1ubuntu2.19 2024-10-01 17:07:11 UTC

  php8.1 (8.1.2-1ubuntu2.19) jammy-security; urgency=medium

  * SECURITY UPDATE: Erroneous parsing of multipart form data
    - debian/patches/CVE-2024-8925.patch: limit bounday size in
      main/rfc1867.c, tests/basic/*.
    - CVE-2024-8925
  * SECURITY UPDATE: cgi.force_redirect configuration can be bypassed due
    to environment variable collision
    - debian/patches/CVE-2024-8927.patch: check for REDIRECT_STATUS in
      sapi/cgi/cgi_main.c.
    - CVE-2024-8927
  * SECURITY UPDATE: Logs from childrens may be altered
    - debian/patches/CVE-2024-9026.patch: properly calculate size in
      sapi/fpm/fpm/fpm_stdio.c, sapi/fpm/tests/*.
    - CVE-2024-9026

 -- Marc Deslauriers <email address hidden> Mon, 30 Sep 2024 12:25:25 -0400

Source diff to previous version
CVE-2024-8925 Erroneous parsing of multipart form data
CVE-2024-8927 cgi.force_redirect configuration is byppassible due to the environment variable collision
CVE-2024-9026 Logs from childrens may be altered

Version: 8.1.2-1ubuntu2.18 2024-06-19 14:07:18 UTC

  php8.1 (8.1.2-1ubuntu2.18) jammy-security; urgency=medium

  * SECURITY UPDATE: Invalid user information
    - debian/patches/CVE-2024-5458.patch: improves filters validation
      in ext/filter/logical_filters.c and adds test
      in ext/filter/tests/ghsa-w8qr-v226-r27w.phpt.
    - CVE-2024-5458

 -- Leonidas Da Silva Barbosa <email address hidden> Fri, 14 Jun 2024 12:52:55 -0300

Source diff to previous version
CVE-2024-5458 In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when

Version: 8.1.2-1ubuntu2.17 2024-05-03 04:07:01 UTC

  php8.1 (8.1.2-1ubuntu2.17) jammy-security; urgency=medium

  * SECURITY UPDATE: Heap buffer-overflow
    - debian/patches/CVE-2022-4900.patch: prevent potential buffer
      overflow for large valye of php_cli_server_workers_max in
      sapi/cli/php_cli_server.c.
    - CVE-2022-4900
  * SECURITY UPDATE: Cookie by pass
    - debian/patches/CVE-2024-2756.patch: adds more mangling rules
      in main/php_variable.c.
    - CVE-2024-2756
  * SECURITY UPDATE: Account take over risk
    - debian/patches/CVE-2024-3096.patch: disallow null character in bcrypt
      password in ext/standard/password.c,
      ext/standard/tests/password_bcrypt_errors.phpt.
    - CVE-2024-3096

 -- Leonidas Da Silva Barbosa <email address hidden> Wed, 01 May 2024 07:10:07 -0300

Source diff to previous version
CVE-2022-4900 A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow.
CVE-2024-2756 Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and same-site attackers can set a standard in
CVE-2024-3096 In PHP  version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00

Version: 8.1.2-1ubuntu2.15 2024-04-11 20:07:02 UTC

  php8.1 (8.1.2-1ubuntu2.15) jammy; urgency=medium

  * d/p/fix-attribute-instantion-dangling-pointer.patch: Fix sigsegv from
    dangling pointer on attribute observer. (LP: #2054621)
  * d/p/fix-attribute-instantion-memory-overflow-recovery.patch: Fix sigsegv
    during memory overflow recovery on attribute observer.

 -- Brian Morton <email address hidden> Fri, 23 Feb 2024 12:26:53 -0500

Source diff to previous version
2054621 Fix PHP crashes due to accessing dangling pointers

Version: 8.1.2-1ubuntu2.14 2023-08-23 20:07:02 UTC

  php8.1 (8.1.2-1ubuntu2.14) jammy-security; urgency=medium

  * SECURITY UPDATE: Disclosure sensitive information
    - debian/patches/CVE-2023-3823.patch: sanitieze libxml2 globals
      before parsing in ext/dom/document.c, ext/dom/documentfragment.c,
      xml_global_state_entity_loader_bypass.phpt, ext/libxml/php_libxml.h,
      ext/simplexml/simplexml.c, xml_global_state_entity_loader_bypass.phpt,
      ext/soap/php_xml.c, ext/xml/compat.c, ext/xmlreader/php_xmlreader.c,
      xml_global_state_entity_loader_bypass.phpt, ext/xsl/xsltprocessor.c,
      ext/zend_test/test.c, ext/zend_test/test.stub.php.
    - CVE-2023-3823
  * SECURITY UPDATE: Stack buffer overflow
    - debian/patches/CVE-2023-3824.patch: fix buffer mismanagement in
      phar_dir_read(), and in files ext/phar/dirstream.c,
      ext/phar/tests/GHSA-jqcx-ccgx-xwhv.phpt.
    - CVE-2023-3824

 -- Leonidas Da Silva Barbosa <email address hidden> Fri, 18 Aug 2023 08:41:11 -0300




About   -   Send Feedback to @ubuntu_updates