--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-39d50cc975
2024-04-19 02:52:22.310679
--------------------------------------------------------------------------------

Name        : php
Product     : Fedora 38
Version     : 8.2.18
Release     : 1.fc38
URL         : http://www.php.net/
Summary     : PHP scripting language for creating dynamic web sites
Description :
PHP is an HTML-embedded scripting language. PHP attempts to make it
easy for developers to write dynamically generated web pages. PHP also
offers built-in database integration for several commercial and
non-commercial database management systems, so writing a
database-enabled webpage with PHP is fairly simple. The most common
use of PHP coding is probably as a replacement for CGI scripts.

--------------------------------------------------------------------------------
Update Information:

PHP version 8.2.18 (11 Apr 2024)
Core:
Fixed bug GH-13612 (Corrupted memory in destructor with weak references).
(nielsdos)
Fixed bug GH-13784 (AX_GCC_FUNC_ATTRIBUTE failure). (Remi)
Fixed bug GH-13670 (GC does not scale well with a lot of objects created in
destructor). (Arnaud)
DOM:
Add some missing ZPP checks. (nielsdos)
Fix potential memory leak in XPath evaluation results. (nielsdos)
Fix phpdoc for DOMDocument load methods. (VincentLanglet)
FPM
Fix incorrect check in fpm_shm_free(). (nielsdos)
GD:
Fixed bug GH-12019 (add GDLIB_CFLAGS in feature tests). (Michael Orlitzky)
Gettext:
Fixed sigabrt raised with dcgettext/dcngettext calls with gettext 0.22.5 with
category set to LC_ALL. (David Carlier)
MySQLnd:
Fix GH-13452 (Fixed handshake response [mysqlnd]). (Saki Takamachi)
Fix incorrect charset length in check_mb_eucjpms(). (nielsdos)
Opcache:
Fixed GH-13508 (JITed QM_ASSIGN may be optimized out when op1 is null). (Arnaud,
Dmitry)
Fixed GH-13712 (Segmentation fault for enabled observers when calling trait
method of internal trait when opcache is loaded). (Bob)
PDO:
Fix various PDORow bugs. (Girgias)
Random:
Fixed bug GH-13544 (Pre-PHP 8.2 compatibility for mt_srand with unknown modes).
(timwolla)
Fixed bug GH-13690 (Global Mt19937 is not properly reset in-between requests
when MT_RAND_PHP is used). (timwolla)
Session:
Fixed bug GH-13680 (Segfault with session_decode and compilation error).
(nielsdos)
Sockets:
Fixed bug GH-13604 (socket_getsockname returns random characters in the end of
the socket name). (David Carlier)
SPL:
Fixed bug GH-13531 (Unable to resize SplfixedArray after being unserialized in
PHP 8.2.15). (nielsdos)
Fixed bug GH-13685 (Unexpected null pointer in zend_string.h). (nielsdos)
Standard:
Fixed bug GH-11808 (Live filesystem modified by tests). (nielsdos)
Fixed GH-13402 (Added validation of \n in $additional_headers of mail()).
(SakiTakamachi)
Fixed bug GH-13203 (file_put_contents fail on strings over 4GB on Windows).
(divinity76)
Fixed bug GHSA-pc52-254m-w9w7 (Command injection via array-ish $command
parameter of proc_open). (CVE-2024-1874) (Jakub Zelenka)
Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to partial
CVE-2022-31629 fix). (CVE-2024-2756) (nielsdos)
Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true,
opening ATO risk). (CVE-2024-3096) (Jakub Zelenka)
XML:
Fixed bug GH-13517 (Multiple test failures when building with --with-expat).
(nielsdos)
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr 10 2024 Remi Collet  - 8.2.18-1
- Update to 8.2.18 - http://www.php.net/releases/8_2_18.php
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #2275058 - CVE-2024-2756 php: host/secure cookie bypass due to partial CVE-2022-31629 fix
        https://bugzilla.redhat.com/show_bug.cgi?id=2275058
  [ 2 ] Bug #2275061 - CVE-2024-3096 php: password_verify can erroneously return true, opening ATO risk
        https://bugzilla.redhat.com/show_bug.cgi?id=2275061
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-39d50cc975' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
--
_______________________________________________
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

Fedora 38: php 2024-39d50cc975 Security Advisory Updates

April 19, 2024
PHP version 8.2.18 (11 Apr 2024) Core: Fixed bug GH-13612 (Corrupted memory in destructor with weak references)

Summary

PHP is an HTML-embedded scripting language. PHP attempts to make it

easy for developers to write dynamically generated web pages. PHP also

offers built-in database integration for several commercial and

non-commercial database management systems, so writing a

database-enabled webpage with PHP is fairly simple. The most common

use of PHP coding is probably as a replacement for CGI scripts.

Update Information:

PHP version 8.2.18 (11 Apr 2024) Core: Fixed bug GH-13612 (Corrupted memory in destructor with weak references). (nielsdos) Fixed bug GH-13784 (AX_GCC_FUNC_ATTRIBUTE failure). (Remi) Fixed bug GH-13670 (GC does not scale well with a lot of objects created in destructor). (Arnaud) DOM: Add some missing ZPP checks. (nielsdos) Fix potential memory leak in XPath evaluation results. (nielsdos) Fix phpdoc for DOMDocument load methods. (VincentLanglet) FPM Fix incorrect check in fpm_shm_free(). (nielsdos) GD: Fixed bug GH-12019 (add GDLIB_CFLAGS in feature tests). (Michael Orlitzky) Gettext: Fixed sigabrt raised with dcgettext/dcngettext calls with gettext 0.22.5 with category set to LC_ALL. (David Carlier) MySQLnd: Fix GH-13452 (Fixed handshake response [mysqlnd]). (Saki Takamachi) Fix incorrect charset length in check_mb_eucjpms(). (nielsdos) Opcache: Fixed GH-13508 (JITed QM_ASSIGN may be optimized out when op1 is null). (Arnaud, Dmitry) Fixed GH-13712 (Segmentation fault for enabled observers when calling trait method of internal trait when opcache is loaded). (Bob) PDO: Fix various PDORow bugs. (Girgias) Random: Fixed bug GH-13544 (Pre-PHP 8.2 compatibility for mt_srand with unknown modes). (timwolla) Fixed bug GH-13690 (Global Mt19937 is not properly reset in-between requests when MT_RAND_PHP is used). (timwolla) Session: Fixed bug GH-13680 (Segfault with session_decode and compilation error). (nielsdos) Sockets: Fixed bug GH-13604 (socket_getsockname returns random characters in the end of the socket name). (David Carlier) SPL: Fixed bug GH-13531 (Unable to resize SplfixedArray after being unserialized in PHP 8.2.15). (nielsdos) Fixed bug GH-13685 (Unexpected null pointer in zend_string.h). (nielsdos) Standard: Fixed bug GH-11808 (Live filesystem modified by tests). (nielsdos) Fixed GH-13402 (Added validation of \n in $additional_headers of mail()). (SakiTakamachi) Fixed bug GH-13203 (file_put_contents fail on strings over 4GB on Windows). (divinity76) Fixed bug GHSA-pc52-254m-w9w7 (Command injection via array-ish $command parameter of proc_open). (CVE-2024-1874) (Jakub Zelenka) Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix). (CVE-2024-2756) (nielsdos) Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true, opening ATO risk). (CVE-2024-3096) (Jakub Zelenka) XML: Fixed bug GH-13517 (Multiple test failures when building with --with-expat). (nielsdos)

Change Log

* Wed Apr 10 2024 Remi Collet - 8.2.18-1 - Update to 8.2.18 - http://www.php.net/releases/8_2_18.php

References

[ 1 ] Bug #2275058 - CVE-2024-2756 php: host/secure cookie bypass due to partial CVE-2022-31629 fix https://bugzilla.redhat.com/show_bug.cgi?id=2275058 [ 2 ] Bug #2275061 - CVE-2024-3096 php: password_verify can erroneously return true, opening ATO risk https://bugzilla.redhat.com/show_bug.cgi?id=2275061

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2024-39d50cc975' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
Name : php
Product : Fedora 38
Version : 8.2.18
Release : 1.fc38
URL : http://www.php.net/
Summary : PHP scripting language for creating dynamic web sites

Related News

22.Lock ScreenEffect Esm H320
2 - 3 min read
Red Hat recently released its newest enterprise Linux distro, Red Hat Enterprise Linux (RHEL) 9.4 , which introduces several features designed to
8.Locks HexConnections CodeGlobe Esm H320
1 - 2 min read
The latest release of Debian , one of the oldest and most trusted distributions within the Linux ecosystem, redefines security, stability, and
20.Lock AbstractDigital Circular Esm H320
1 - 2 min read
The Ubuntu security team has recently discovered and addressed multiple vulnerabilities in the Apache HTTP Server. The vulnerabilities affected
1.Penguin Landscape Esm H320
1 - 2 min read
A critical vulnerability was discovered in the Linux kernel's netfilter subsystem, specifically within the nf_tables component, posing potential
19.Laptop Bed Esm H320
2 - 3 min read
The release of Google Chrome 124 addresses four vulnerabilities, including a critical security flaw that can enable attackers to execute arbitrary
23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved