Package "libphp8.1-embed"
| Name: |
libphp8.1-embed
|
Description: |
HTML-embedded scripting language (Embedded SAPI library)
|
| Latest version: |
8.1.2-1ubuntu2.20 |
| Release: |
jammy (22.04) |
| Level: |
updates |
| Repository: |
universe |
| Head package: |
php8.1 |
| Homepage: |
http://www.php.net/ |
Links
Download "libphp8.1-embed"
Other versions of "libphp8.1-embed" in Jammy
Changelog
|
php8.1 (8.1.2-1ubuntu2.20) jammy-security; urgency=medium
* SECURITY UPDATE: Buffer over read
- debian/patches/CVE-2024-11233.patch: re arrange
bound check code in ext/standard/filters.c,
ext/standard/tests/filters/ghsa-r977-prxv-hc43.phpt.
- CVE-2024-11233
* SECURITY UPDATE: HTTP request smuggling
- debian/patches/CVE-2024-11234.patch: avoiding
fulluri CRLF injection in ext/standard/http_fopen_wrapper.c.
.../tests/http/ghsa-c5f2-jwm7-mmq2.phpt.
- CVE-2024-11234
* SECURITY UPDATE: Integer overflow
- debian/patches/CVE-2024-11236-1.patch: adding an extralen check
to avoid integer overflow in ext/pdo_dblib/dblib_driver.c,
ext/pdo_dblib/tests/GHSA-5hqh-c84r-qjcv.phpt.
- debian/patches/CVE-2024-11236-2.patch: change qcount to size_t in
order to avoid integer overflow and adding checks in
ext/pdo_firebird/firebird_driver.c.
- CVE-2024-11236
* SECURITY UPDATE: Heap buffer over-reads
- debian/patches/CVE-2024-8929.patch: fix buffer over-reads in
ext/mysqlnd/mysqlnd_ps_codec.c,
ext/mysqlnd/mysqlnd_wireprotocol.c, and create some phpt tests.
- CVE-2024-8929
* SECURITY UPDATE: Integer overflow
- debian/patches/CVE-2024-8932.patch: fix OOB in access in
ldap_escape in ext/ldap/ldap.c,
ext/ldap/tests/GHSA-g665-fm4p-vhff-1.phpt,
ext/ldap/tests/GHSA-g665-fm4p-vhff-2.phpt.
- CVE-2024-8932
-- Leonidas Da Silva Barbosa <email address hidden> Tue, 03 Dec 2024 17:14:35 -0300
|
| Source diff to previous version |
| CVE-2024-11233 |
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, due to an error in convert.quoted-printable-decode filter certain data |
| CVE-2024-11234 |
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, when using streams with configured proxy and "request_fulluri" option, |
| CVE-2024-11236 |
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit sy |
| CVE-2024-8929 |
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, a hostile MySQL server can cause the client to disclose the content of |
| CVE-2024-8932 |
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit sy |
|
|
php8.1 (8.1.2-1ubuntu2.19) jammy-security; urgency=medium
* SECURITY UPDATE: Erroneous parsing of multipart form data
- debian/patches/CVE-2024-8925.patch: limit bounday size in
main/rfc1867.c, tests/basic/*.
- CVE-2024-8925
* SECURITY UPDATE: cgi.force_redirect configuration can be bypassed due
to environment variable collision
- debian/patches/CVE-2024-8927.patch: check for REDIRECT_STATUS in
sapi/cgi/cgi_main.c.
- CVE-2024-8927
* SECURITY UPDATE: Logs from childrens may be altered
- debian/patches/CVE-2024-9026.patch: properly calculate size in
sapi/fpm/fpm/fpm_stdio.c, sapi/fpm/tests/*.
- CVE-2024-9026
-- Marc Deslauriers <email address hidden> Mon, 30 Sep 2024 12:25:25 -0400
|
| Source diff to previous version |
| CVE-2024-8925 |
Erroneous parsing of multipart form data |
| CVE-2024-8927 |
cgi.force_redirect configuration is byppassible due to the environment variable collision |
| CVE-2024-9026 |
Logs from childrens may be altered |
|
|
php8.1 (8.1.2-1ubuntu2.18) jammy-security; urgency=medium
* SECURITY UPDATE: Invalid user information
- debian/patches/CVE-2024-5458.patch: improves filters validation
in ext/filter/logical_filters.c and adds test
in ext/filter/tests/ghsa-w8qr-v226-r27w.phpt.
- CVE-2024-5458
-- Leonidas Da Silva Barbosa <email address hidden> Fri, 14 Jun 2024 12:52:55 -0300
|
| Source diff to previous version |
| CVE-2024-5458 |
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when |
|
|
php8.1 (8.1.2-1ubuntu2.17) jammy-security; urgency=medium
* SECURITY UPDATE: Heap buffer-overflow
- debian/patches/CVE-2022-4900.patch: prevent potential buffer
overflow for large valye of php_cli_server_workers_max in
sapi/cli/php_cli_server.c.
- CVE-2022-4900
* SECURITY UPDATE: Cookie by pass
- debian/patches/CVE-2024-2756.patch: adds more mangling rules
in main/php_variable.c.
- CVE-2024-2756
* SECURITY UPDATE: Account take over risk
- debian/patches/CVE-2024-3096.patch: disallow null character in bcrypt
password in ext/standard/password.c,
ext/standard/tests/password_bcrypt_errors.phpt.
- CVE-2024-3096
-- Leonidas Da Silva Barbosa <email address hidden> Wed, 01 May 2024 07:10:07 -0300
|
| Source diff to previous version |
| CVE-2022-4900 |
A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow. |
| CVE-2024-2756 |
Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and same-site attackers can set a standard in |
| CVE-2024-3096 |
In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00 |
|
|
php8.1 (8.1.2-1ubuntu2.15) jammy; urgency=medium
* d/p/fix-attribute-instantion-dangling-pointer.patch: Fix sigsegv from
dangling pointer on attribute observer. (LP: #2054621)
* d/p/fix-attribute-instantion-memory-overflow-recovery.patch: Fix sigsegv
during memory overflow recovery on attribute observer.
-- Brian Morton <email address hidden> Fri, 23 Feb 2024 12:26:53 -0500
|
| 2054621 |
Fix PHP crashes due to accessing dangling pointers |
|
About
-
Send Feedback to @ubuntu_updates
