Описание
Security update for php8
This update for php8 fixes the following issues:
- php8 was updated to version 8.0.24
- php8 was updated to version 8.0.23 (jsc#SLE-23639).
- CVE-2021-21703: Fixed a local privilege escalation via PHP-FPM. (bsc#1192050)
- CVE-2022-31628: Fixed an uncontrolled recursion in the phar uncompressor while decompressing 'quines' gzip files. (bsc#1203867)
- CVE-2022-31629: Fixed a bug which could lead an attacker to set an insecure cookie that will treated as secure in the victim's browser. (bsc#1203870)
- Fixed missing devel package requires pear and pecl extensions (jsc#SLE-24723, bsc#1200772).
Список пакетов
Container bci/php-apache:8
apache2-mod_php8-8.0.24-150400.4.14.1
php8-8.0.24-150400.4.14.1
php8-cli-8.0.24-150400.4.14.1
php8-curl-8.0.24-150400.4.14.1
php8-mbstring-8.0.24-150400.4.14.1
php8-openssl-8.0.24-150400.4.14.1
php8-phar-8.0.24-150400.4.14.1
php8-zip-8.0.24-150400.4.14.1
php8-zlib-8.0.24-150400.4.14.1
Container bci/php-apache:latest
apache2-mod_php8-8.0.24-150400.4.14.1
php8-8.0.24-150400.4.14.1
php8-cli-8.0.24-150400.4.14.1
php8-curl-8.0.24-150400.4.14.1
php8-mbstring-8.0.24-150400.4.14.1
php8-openssl-8.0.24-150400.4.14.1
php8-phar-8.0.24-150400.4.14.1
php8-zip-8.0.24-150400.4.14.1
php8-zlib-8.0.24-150400.4.14.1
Container bci/php-fpm:8
php8-8.0.24-150400.4.14.1
php8-cli-8.0.24-150400.4.14.1
php8-curl-8.0.24-150400.4.14.1
php8-fpm-8.0.24-150400.4.14.1
php8-mbstring-8.0.24-150400.4.14.1
php8-openssl-8.0.24-150400.4.14.1
php8-phar-8.0.24-150400.4.14.1
php8-zip-8.0.24-150400.4.14.1
php8-zlib-8.0.24-150400.4.14.1
Container bci/php-fpm:latest
php8-8.0.24-150400.4.14.1
php8-cli-8.0.24-150400.4.14.1
php8-curl-8.0.24-150400.4.14.1
php8-fpm-8.0.24-150400.4.14.1
php8-mbstring-8.0.24-150400.4.14.1
php8-openssl-8.0.24-150400.4.14.1
php8-phar-8.0.24-150400.4.14.1
php8-zip-8.0.24-150400.4.14.1
php8-zlib-8.0.24-150400.4.14.1
Container bci/php:8
php8-8.0.24-150400.4.14.1
php8-cli-8.0.24-150400.4.14.1
php8-curl-8.0.24-150400.4.14.1
php8-mbstring-8.0.24-150400.4.14.1
php8-openssl-8.0.24-150400.4.14.1
php8-phar-8.0.24-150400.4.14.1
php8-zip-8.0.24-150400.4.14.1
php8-zlib-8.0.24-150400.4.14.1
Container bci/php:latest
php8-8.0.24-150400.4.14.1
php8-cli-8.0.24-150400.4.14.1
php8-curl-8.0.24-150400.4.14.1
php8-mbstring-8.0.24-150400.4.14.1
php8-openssl-8.0.24-150400.4.14.1
php8-phar-8.0.24-150400.4.14.1
php8-readline-8.0.24-150400.4.14.1
php8-zip-8.0.24-150400.4.14.1
php8-zlib-8.0.24-150400.4.14.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP4
apache2-mod_php8-8.0.24-150400.4.14.1
php8-8.0.24-150400.4.14.1
php8-bcmath-8.0.24-150400.4.14.1
php8-bz2-8.0.24-150400.4.14.1
php8-calendar-8.0.24-150400.4.14.1
php8-cli-8.0.24-150400.4.14.1
php8-ctype-8.0.24-150400.4.14.1
php8-curl-8.0.24-150400.4.14.1
php8-dba-8.0.24-150400.4.14.1
php8-devel-8.0.24-150400.4.14.1
php8-dom-8.0.24-150400.4.14.1
php8-embed-8.0.24-150400.4.14.1
php8-enchant-8.0.24-150400.4.14.1
php8-exif-8.0.24-150400.4.14.1
php8-fastcgi-8.0.24-150400.4.14.1
php8-fileinfo-8.0.24-150400.4.14.1
php8-fpm-8.0.24-150400.4.14.1
php8-ftp-8.0.24-150400.4.14.1
php8-gd-8.0.24-150400.4.14.1
php8-gettext-8.0.24-150400.4.14.1
php8-gmp-8.0.24-150400.4.14.1
php8-iconv-8.0.24-150400.4.14.1
php8-intl-8.0.24-150400.4.14.1
php8-ldap-8.0.24-150400.4.14.1
php8-mbstring-8.0.24-150400.4.14.1
php8-mysql-8.0.24-150400.4.14.1
php8-odbc-8.0.24-150400.4.14.1
php8-opcache-8.0.24-150400.4.14.1
php8-openssl-8.0.24-150400.4.14.1
php8-pcntl-8.0.24-150400.4.14.1
php8-pdo-8.0.24-150400.4.14.1
php8-pgsql-8.0.24-150400.4.14.1
php8-phar-8.0.24-150400.4.14.1
php8-posix-8.0.24-150400.4.14.1
php8-readline-8.0.24-150400.4.14.1
php8-shmop-8.0.24-150400.4.14.1
php8-snmp-8.0.24-150400.4.14.1
php8-soap-8.0.24-150400.4.14.1
php8-sockets-8.0.24-150400.4.14.1
php8-sodium-8.0.24-150400.4.14.1
php8-sqlite-8.0.24-150400.4.14.1
php8-sysvmsg-8.0.24-150400.4.14.1
php8-sysvsem-8.0.24-150400.4.14.1
php8-sysvshm-8.0.24-150400.4.14.1
php8-test-8.0.24-150400.4.14.1
php8-tidy-8.0.24-150400.4.14.1
php8-tokenizer-8.0.24-150400.4.14.1
php8-xmlreader-8.0.24-150400.4.14.1
php8-xmlwriter-8.0.24-150400.4.14.1
php8-xsl-8.0.24-150400.4.14.1
php8-zip-8.0.24-150400.4.14.1
php8-zlib-8.0.24-150400.4.14.1
openSUSE Leap 15.4
apache2-mod_php8-8.0.24-150400.4.14.1
php8-8.0.24-150400.4.14.1
php8-bcmath-8.0.24-150400.4.14.1
php8-bz2-8.0.24-150400.4.14.1
php8-calendar-8.0.24-150400.4.14.1
php8-cli-8.0.24-150400.4.14.1
php8-ctype-8.0.24-150400.4.14.1
php8-curl-8.0.24-150400.4.14.1
php8-dba-8.0.24-150400.4.14.1
php8-devel-8.0.24-150400.4.14.1
php8-dom-8.0.24-150400.4.14.1
php8-embed-8.0.24-150400.4.14.1
php8-enchant-8.0.24-150400.4.14.1
php8-exif-8.0.24-150400.4.14.1
php8-fastcgi-8.0.24-150400.4.14.1
php8-fileinfo-8.0.24-150400.4.14.1
php8-fpm-8.0.24-150400.4.14.1
php8-ftp-8.0.24-150400.4.14.1
php8-gd-8.0.24-150400.4.14.1
php8-gettext-8.0.24-150400.4.14.1
php8-gmp-8.0.24-150400.4.14.1
php8-iconv-8.0.24-150400.4.14.1
php8-intl-8.0.24-150400.4.14.1
php8-ldap-8.0.24-150400.4.14.1
php8-mbstring-8.0.24-150400.4.14.1
php8-mysql-8.0.24-150400.4.14.1
php8-odbc-8.0.24-150400.4.14.1
php8-opcache-8.0.24-150400.4.14.1
php8-openssl-8.0.24-150400.4.14.1
php8-pcntl-8.0.24-150400.4.14.1
php8-pdo-8.0.24-150400.4.14.1
php8-pgsql-8.0.24-150400.4.14.1
php8-phar-8.0.24-150400.4.14.1
php8-posix-8.0.24-150400.4.14.1
php8-readline-8.0.24-150400.4.14.1
php8-shmop-8.0.24-150400.4.14.1
php8-snmp-8.0.24-150400.4.14.1
php8-soap-8.0.24-150400.4.14.1
php8-sockets-8.0.24-150400.4.14.1
php8-sodium-8.0.24-150400.4.14.1
php8-sqlite-8.0.24-150400.4.14.1
php8-sysvmsg-8.0.24-150400.4.14.1
php8-sysvsem-8.0.24-150400.4.14.1
php8-sysvshm-8.0.24-150400.4.14.1
php8-test-8.0.24-150400.4.14.1
php8-tidy-8.0.24-150400.4.14.1
php8-tokenizer-8.0.24-150400.4.14.1
php8-xmlreader-8.0.24-150400.4.14.1
php8-xmlwriter-8.0.24-150400.4.14.1
php8-xsl-8.0.24-150400.4.14.1
php8-zip-8.0.24-150400.4.14.1
php8-zlib-8.0.24-150400.4.14.1
Ссылки
- Link for SUSE-SU-2022:3661-1
- E-Mail link for SUSE-SU-2022:3661-1
- SUSE Security Ratings
- SUSE Bug 1192050
- SUSE Bug 1200772
- SUSE Bug 1203867
- SUSE Bug 1203870
- SUSE CVE CVE-2021-21703 page
- SUSE CVE CVE-2022-31628 page
- SUSE CVE CVE-2022-31629 page
Описание
In PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12, when running PHP FPM SAPI with main FPM daemon process running as root and child worker processes running as lower-privileged users, it is possible for the child processes to access memory shared with the main process and write to it, modifying it in a way that would cause the root process to conduct invalid memory reads and writes, which can be used to escalate privileges from local unprivileged user to the root user.
Затронутые продукты
Container bci/php-apache:8:apache2-mod_php8-8.0.24-150400.4.14.1
Container bci/php-apache:8:php8-8.0.24-150400.4.14.1
Container bci/php-apache:8:php8-cli-8.0.24-150400.4.14.1
Container bci/php-apache:8:php8-curl-8.0.24-150400.4.14.1
Ссылки
- CVE-2021-21703
- SUSE Bug 1192050
Описание
In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop.
Затронутые продукты
Container bci/php-apache:8:apache2-mod_php8-8.0.24-150400.4.14.1
Container bci/php-apache:8:php8-8.0.24-150400.4.14.1
Container bci/php-apache:8:php8-cli-8.0.24-150400.4.14.1
Container bci/php-apache:8:php8-curl-8.0.24-150400.4.14.1
Ссылки
- CVE-2022-31628
- SUSE Bug 1203867
Описание
In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a standard insecure cookie in the victim's browser which is treated as a `__Host-` or `__Secure-` cookie by PHP applications.
Затронутые продукты
Container bci/php-apache:8:apache2-mod_php8-8.0.24-150400.4.14.1
Container bci/php-apache:8:php8-8.0.24-150400.4.14.1
Container bci/php-apache:8:php8-cli-8.0.24-150400.4.14.1
Container bci/php-apache:8:php8-curl-8.0.24-150400.4.14.1
Ссылки
- CVE-2022-31629
- SUSE Bug 1203870
- SUSE Bug 1222857