[SECURITY] [DLA 3986-1] php7.4 security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3986-1] php7.4 security update
From: Guilhem Moulin <guilhem@debian.org>
Date: Sun, 8 Dec 2024 15:46:12 +0100
Message-id: <[🔎] Z1WxNL0Vw0ES6Y0Y@debian.org>
Mail-followup-to: debian-lts-announce@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-------------------------------------------------------------------------
Debian LTS Advisory DLA-3986-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                       Guilhem Moulin
December 08, 2024                             https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : php7.4
Version        : 7.4.33-1+deb11u7
CVE ID         : CVE-2024-8929 CVE-2024-8932 CVE-2024-11233 CVE-2024-11234 
                 CVE-2024-11236
Debian Bug     : 1088688

Multiple security issues were found in PHP, a widely-used open source
general purpose scripting language, which could result in denial of
service, authorization bypass, or information disclosure.

CVE-2024-8929

    Sébastien Rolland discovered a partial content leak of the heap
    through heap buffer over-read in mysqlnd.

    By connecting to a fake MySQL server or tampering with network
    packets and initiating a SQL Query, it is possible to abuse
    php_mysqlnd_rset_field_rea() when parsing MySQL fields packets in
    order to include the rest of the heap content starting from the
    address of the cursor of the currently read buffer.

CVE-2024-8932

    Yiheng Cao discovered that uncontrolled long string inputs to
    ldap_escape() on 32-bit systems can cause an integer overflow,
    resulting in an out-of-bounds write.

CVE-2024-11233

    A memory-related vulnerability was discovered in the filter handling
    system, particularly when processing input with
    convert.quoted-printable-decode filters, which could lead to a
    segmentation fault.

    This vulnerability is triggered through specific sequences of input
    data, causing PHP to crash.  When exploited, it allows an attacker
    to extract a single byte of data from the heap or result in denial
    of service.

CVE-2024-11234

    Lorenzo Leonardini discovered that Configuring a proxy in a stream
    context might allow for CRLF injection in URIs, which could lead to
    authorization bypass by Server Side Request Forgery attack (SSRF).

CVE-2024-11236

    An integer overflow vulnerability was found in the firebird and
    dblib quoters, which can result in out-of-bounds writes.

GHSA-4w77-75f9-2c8w

    A heap-use-after-free vulnerability was discovered in the
    sapi_read_post_data() function, which could allow an attacker to
    exploit memory safety issues during POST request processing.

For Debian 11 bullseye, these problems have been fixed in version
7.4.33-1+deb11u7.

We recommend that you upgrade your php7.4 packages.

For the detailed security status of php7.4 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php7.4

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: [SECURITY] [DLA 3985-1] gsl security update
Next by Date: [SECURITY] [DLA 3987-1] renderdoc security update
Previous by thread: [SECURITY] [DLA 3985-1] gsl security update
Next by thread: [SECURITY] [DLA 3987-1] renderdoc security update
Index(es):
- Date
- Thread