[SECURITY] [DLA 3997-1] php-laravel-framework security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3997-1] php-laravel-framework security update
From: "Chris Lamb" <lamby@debian.org>
Date: Sat, 21 Dec 2024 14:59:53 +0000
Message-id: <[🔎] 173478865870.108998.5860594735095479666@copycat>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3997-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                           Chris Lamb
December 21, 2024                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : php-laravel-framework
Version        : 6.20.14+dfsg-2+deb11u2
CVE ID         : CVE-2024-52301
Debian Bug     : 1088189

It was discovered that there was a remotely exploitable vulnerability
in php-laravel-framework, a popular web application framework written
in PHP.

When the register_argc_argv php directive was set to "on" and users
called a URL with a specially-crafted query string, they were able to
change the environment used by the framework when handling the
request.

Laravel now ignores argv values for environment detection on non-CLI
APIs.

For Debian 11 bullseye, this problem has been fixed in version
6.20.14+dfsg-2+deb11u2.

We recommend that you upgrade your php-laravel-framework packages.

For the detailed security status of php-laravel-framework please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php-laravel-framework

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmdmxjAACgkQHpU+J9Qx
HlglVQ/+Lu09RTK7yeVCzYSVUsBn+LRFpn94Q4r578g4SRWgTOKGDjDaMnFHqMs8
c9jIasTKhpqPR/O2FRFmZTAyKAYFHe8j12Ezxtce88InU3nalQzxUdiX6ZOQ1Av8
Qxk1+0ZJrqwaRE6d5fteMYjf41Kof7kHhCfmgnH8I1D2AYXQLgVojXLv5walbtDk
z5jKjbf86tcUKmHgyuS/ZF86PLOto4FFFqgNAyplBRhhB/tcgNDJ/ubXjVDNl6gx
bUcwJcgl2vhUg2Kuu5mxLu55DQC9zzoIxnzTeLd7LCUB+dohvxB4fj25ivj+4bM1
w3V9M/DlIoNBG0vWqpnYkCc1ko4sltiO1my2TST7iQEPoJcRtq+/KjQyisUL1DGY
eCVuolOynrvf5Mn5rn1QzkkloH0MT7LI7+W3E3PcyzU3QZPm9eZ4k/e0SROQnUyY
jzCWbmkQRkyltd051W+kQhdTtybAT9VhmYV4L1A0gtu3JQiqqc3z2j+cqXc1JUaJ
RtSj8wuNLJn7SHlP1Y5zbEyq9HsQEjoJl3EO8gRSZFaeJt8oceB/zy7lbezw++7s
QH2SuLYQJoC75ED3tFiZABt0lZv9VI0rwz7akcPLB9tNn/SgKn1swyxLsoCkDPGi
4xIUHdWeWXHT6NmEehY51OsmfVc6Qx3EGlLtETuctRmkd3FuzwE=
=ugRC
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3996-1] gunicorn security update
Next by Date: [SECURITY] [DLA 3998-1] python-urllib3 security update
Previous by thread: [SECURITY] [DLA 3996-1] gunicorn security update
Next by thread: [SECURITY] [DLA 3998-1] python-urllib3 security update
Index(es):
- Date
- Thread