UbuntuUpdates.org

Package "php8.3-bz2"

Name: php8.3-bz2

Description:

bzip2 module for PHP
Latest version: 8.3.6-0ubuntu0.24.04.9
Release: noble (24.04)
Level: updates
Repository: universe
Head package: php8.3
Homepage: http://www.php.net/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "php8.3-bz2"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "php8.3-bz2" in Noble

Repository Area Version
base universe 8.3.6-0maysync1
security universe 8.3.6-0ubuntu0.24.04.9

Changelog

Version: 8.3.6-0ubuntu0.24.04.9 2026-05-29 00:08:25 UTC

  php8.3 (8.3.6-0ubuntu0.24.04.9) noble-security; urgency=medium

  * SECURITY UPDATE: SQL injection in PDO Firebird driver
    - debian/patches/CVE-2025-14179.patch: GHSA-w476-322c-wpvm: [pdo_firebird]
      Fix SQL injection via NUL bytes in quoted strings in
      ext/pdo_firebird/firebird_driver.c,
      ext/pdo_firebird/tests/ghsa-w476-322c-wpvm.phpt.
    - CVE-2025-14179
  * SECURITY UPDATE: use-after-free in SOAP extension
    - debian/patches/CVE-2026-6722.patch: GHSA-85c2-q967-79q5: [soap] Fix stale
      SOAP_GLOBAL(ref_map) pointer with Apache Map in ext/soap/php_encoding.c,
      ext/soap/tests/GHSA-85c2-q967-79q5.phpt.
    - CVE-2026-6722
  * SECURITY UPDATE: XSS via incorrect sanitization
    - debian/patches/CVE-2026-6735.patch: GHSA-7qg2-v9fj-4mwv: [fpm] XSS within
      status endpoint in sapi/fpm/fpm/fpm_status.c,
      sapi/fpm/tests/ghsa-7qg2-v9fj-4mwv-status-xss.phpt.
    - CVE-2026-6735
  * SECURITY UPDATE: DoS via passing signed chars
    - debian/patches/CVE-2026-7258.patch: GHSA-m8rr-4c36-8gq4: Consistently pass
      unsigned char to ctype.h functions in Zend/zend_compile.c,
      Zend/zend_ini.c, Zend/zend_operators.c, Zend/zend_virtual_cwd.c,
      Zend/zend_virtual_cwd.h, ext/com_dotnet/com_extension.c,
      ext/date/lib/parse_date.c, ext/date/lib/parse_date.re,
      ext/date/lib/parse_iso_intervals.c, ext/date/lib/parse_iso_intervals.re,
      ext/date/lib/timelib.c, ext/filter/logical_filters.c, ext/ftp/ftp.c,
      ext/gd/libgd/gd_xbm.c, ext/imap/php_imap.c,
      ext/intl/locale/locale_methods.c, ext/mbstring/mbstring.c,
      ext/mbstring/php_mbregex.c, ext/pcre/php_pcre.c, ext/pdo/pdo.c,
      ext/pdo/pdo_sql_parser.re, ext/pdo/pdo_stmt.c, ext/standard/dl.c,
      ext/standard/exec.c, ext/standard/file.c, ext/standard/filters.c,
      ext/standard/formatted_print.c, ext/standard/ftp_fopen_wrapper.c,
      ext/standard/html.c, ext/standard/math.c, ext/standard/metaphone.c,
      ext/standard/quot_print.c, ext/standard/scanf.c, ext/standard/soundex.c,
      ext/standard/string.c, ext/standard/strnatcmp.c, ext/standard/type.c,
      ext/standard/url.c, ext/standard/url_scanner_ex.re,
      ext/standard/versioning.c, main/SAPI.c, main/fopen_wrappers.c,
      main/php_ini.c, main/php_ini_builder.c, main/php_variables.c,
      main/rfc1867.c, main/snprintf.c, main/spprintf.c, main/streams/streams.c,
      main/streams/transports.c, sapi/cli/php_cli_server.c,
      sapi/fpm/fpm/fpm_conf.c, sapi/litespeed/lsapi_main.c,
      sapi/litespeed/lsapilib.c, sapi/phpdbg/phpdbg_cmd.c,
      sapi/phpdbg/phpdbg_prompt.c, sapi/phpdbg/phpdbg_utils.c, win32/sendmail.c.
    - CVE-2026-7258
  * SECURITY UPDATE: null pointer dereference via encoding lists mismatch
    - debian/patches/CVE-2026-7259.patch: GHSA-wm6j-2649-pv75: [mbstring] Fix
      null pointer dereference in php_mb_check_encoding() via
      mb_ereg_search_init() in Zend/tests/GHSA-wm6j-2649-pv75.phpt,
      ext/mbstring/php_mbregex.c.
    - CVE-2026-7259
  * SECURITY UPDATE: use-after-free in SOAP persistance handling
    - debian/patches/CVE-2026-7261.patch: GHSA-m33r-qmcv-p97q: [soap] Fix use-
      after-free after header parsing failure with SOAP_PERSISTENCE_SESSION in
      ext/soap/soap.c, ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt.
    - CVE-2026-7261
  * SECURITY UPDATE: null pointer dereference in SOAP decoding process
    - debian/patches/CVE-2026-7262.patch: GHSA-hmxp-6pc4-f3vv: [soap] Fix broken
      Apache map value NULL check in ext/soap/php_encoding.c,
      ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt.
    - CVE-2026-7262
  * SECURITY UPDATE: integer overflow in metaphone
    - debian/patches/CVE-2026-7568.patch: GHSA-96wq-48vp-hh57: [metaphone] Fix
      signed integer overflow of char array offset in ext/standard/metaphone.c,
      ext/standard/tests/GHSA-96wq-48vp-hh57.phpt.
    - CVE-2026-7568

 -- Marc Deslauriers <email address hidden> Mon, 25 May 2026 09:12:06 -0400
Source diff to previous version
CVE-2025-14179 In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL
CVE-2026-6722 In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mech
CVE-2026-6735 In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows
CVE-2026-7258 In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass si
CVE-2026-7259 In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma
CVE-2026-7261 In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when SoapServer is configured with SOAP_PERSIS
CVE-2026-7262 In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, t
CVE-2026-7568 In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() function in ext/standard/metap

Version: 8.3.6-0ubuntu0.24.04.8 2026-04-01 11:10:32 UTC

  php8.3 (8.3.6-0ubuntu0.24.04.8) noble; urgency=medium

  * d/p/fix-fpm-scoreboard.patch: fix segfault due to outdated patch. The patch
    for LP 2130569 contains WIP code which was not merged to php-src. Fixed
    with correct commit contents. (LP: #2144556)

 -- Renan Rodrigo <email address hidden> Thu, 19 Mar 2026 23:32:55 -0300
Source diff to previous version
2144556 php8.3-fpm: SIGSEGV upon fpm_get_status()

Version: 8.3.6-0ubuntu0.24.04.7 2026-03-12 14:08:12 UTC

  php8.3 (8.3.6-0ubuntu0.24.04.7) noble; urgency=medium

  * d/p/fix-fpm-scoreboard.patch: Fix FPM: ERROR: scoreboard: failed to lock
    (LP: #2130569)

 -- Renan Rodrigo <email address hidden> Tue, 27 Jan 2026 00:09:47 -0300
Source diff to previous version
2130569 php-fpm scoreboard: failed to lock

Version: 8.3.6-0ubuntu0.24.04.6 2026-01-12 14:08:22 UTC

  php8.3 (8.3.6-0ubuntu0.24.04.6) noble-security; urgency=medium

  * SECURITY UPDATE: Information leak of memory in getimagesize
    - debian/patches/CVE-2025-14177.patch: fix php_read_stream_all_chunks()
      in ext/standard/image.c
    - CVE-2025-14177
  * SECURITY UPDATE: Heap buffer overflow in array_merge()
    - debian/patches/CVE-2025-14178.patch: check number of elements in
      ext/standard/array.c
    - CVE-2025-14178
  * SECURITY UPDATE: NULL pointer dereference in PDO quoting
    - debian/patches/CVE-2025-14180.patch: fix null pointer dereference in
      ext/pdo/pdo_sql_parser.re
    - CVE-2025-14180

 -- Nishit Majithia <email address hidden> Wed, 07 Jan 2026 14:10:32 +0530
Source diff to previous version
CVE-2025-14177 In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function m
CVE-2025-14178 In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs
CVE-2025-14180 In PHP versions 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1 when using the PDO PostgreSQL

Version: 8.3.6-0ubuntu0.24.04.5 2025-07-17 21:28:16 UTC

  php8.3 (8.3.6-0ubuntu0.24.04.5) noble-security; urgency=medium

  * SECURITY UPDATE: Null byte termination in hostnames
    - debian/patches/CVE-2025-1220.patch: check hostnames in
      ext/standard/fsock.c,
      ext/standard/tests/network/ghsa-3cr5-j632-f35r.phpt,
      ext/standard/tests/streams/ghsa-3cr5-j632-f35r.phpt,
      main/streams/xp_socket.c.
    - CVE-2025-1220
  * SECURITY UPDATE: pgsql extension does not check for errors during
    escaping
    - debian/patches/CVE-2025-1735.patch: add error checks in
      ext/pdo_pgsql/pgsql_driver.c,
      ext/pdo_pgsql/tests/ghsa-hrwm-9436-5mv3.phpt,
      ext/pgsql/pgsql.c, ext/pgsql/tests/ghsa-hrwm-9436-5mv3.phpt.
    - CVE-2025-1735
  * SECURITY UPDATE: NULL Pointer Dereference in PHP SOAP Extension via
    Large XML Namespace Prefix
    - debian/patches/CVE-2025-6491.patch: handle large names in
      ext/soap/soap.c, ext/soap/tests/soap_qname_crash.phpt.
    - CVE-2025-6491

 -- Marc Deslauriers <email address hidden> Mon, 14 Jul 2025 14:30:55 -0400
CVE-2025-1220 In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 some functions like fsockopen() lack validation th
CVE-2025-1735 In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* pgsql and pdo_pgsql escaping functions do not check if the under
CVE-2025-6491 In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 when parsing XML data in SOAP extensions, overly l


About   -   Send Feedback to @ubuntu_updates