Debian (E)LTS report for October 2024

To: debian-lts@lists.debian.org
Subject: Debian (E)LTS report for October 2024
From: Guilhem Moulin <guilhem@debian.org>
Date: Fri, 1 Nov 2024 00:24:39 +0100
Message-id: <[🔎] ALksYLxcsYCGqp2G@debian.org>
Mail-followup-to: debian-lts@lists.debian.org

During the month of October 2024 and on behalf of Freexian, I worked on the
following:

php7.4
------

Uploaded 7.4.33-1+deb11u6 and issued DLA-3920-1.
https://lists.debian.org/msgid-search/?m=Zw20sWdCj3zl6qlD@debian.org

  * CVE-2022-4900: Setting the environment variable
    PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer
    overflow.
  * CVE-2024-5458: A code logic error may lead to the downstream code
    accepting invalid URLs as valid and parsing them incorrectly.
  * CVE-2024-8925: Erroneous parsing of multipart form data contained in
    an HTTP POST request
  * CVE-2024-9026: Log pollution in PHP-FPM when configured to catch
    workers output.
  * CVE-2024-8927: `cgi.force_redirect` configuration setting is
    bypassable.

php7.3
------

Uploaded 7.3.31-1~deb10u8 (buster) and issued ELA-1206-1.
https://www.freexian.com/lts/extended/updates/ela-1206-1-php7.3/

  * CVE-2024-8925: Erroneous parsing of multipart form data contained in
    an HTTP POST request
  * CVE-2024-8927: `cgi.force_redirect` configuration setting is
    bypassable.

php7.0
------

Uploaded 7.0.33-0+deb9u19 (stretch) and issued ELA-1207-1.
https://www.freexian.com/lts/extended/updates/ela-1207-1-php7.0/

  * CVE-2024-8925: Erroneous parsing of multipart form data contained in
    an HTTP POST request
  * CVE-2024-8927: `cgi.force_redirect` configuration setting is
    bypassable.

php5
----

Uploaded 5.6.40+dfsg-0+deb8u21 (jessie) and issued ELA-1208-1.
https://www.freexian.com/lts/extended/updates/ela-1208-1-php5/

  * CVE-2024-8925: Erroneous parsing of multipart form data contained in
    an HTTP POST request
  * CVE-2024-8927: `cgi.force_redirect` configuration setting is
    bypassable.

perl
----

Uploaded 5.32.1-4+deb11u4 and issued DLA-3926-1.
https://lists.debian.org/msgid-search/?m=ZxZh5eNEQThPxbSL@debian.org

  * CVE-2020-16156: Signature verification bypass in CPAN.pm.
  * CVE-2023-31484: CPAN::HTTP::Client did not verify X.509 certificates
    in the HTTP::Tiny call.

Also, reviewed Bastien work for buster and jessie ELTS at his request.

Thanks to the sponsors for financing the above, and to Freexian for
coordinating!
-- 
Guilhem.

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: Report for (E)?LTS of October
Previous by thread: Report for (E)?LTS of October
Index(es):
- Date
- Thread