Описание
Security update for php7
This update for php7 fixes the following issues:
- CVE-2024-2756: Fixed bypass of security fix applied for CVE-2022-31629 that lead PHP to consider not secure cookies as secure (bsc#1222857)
- CVE-2024-3096: Fixed bypass on null byte leading passwords checked via password_verify (bsc#1222858)
Список пакетов
SUSE Linux Enterprise Module for Legacy 15 SP5
apache2-mod_php7-7.4.33-150400.4.34.1
php7-7.4.33-150400.4.34.1
php7-bcmath-7.4.33-150400.4.34.1
php7-bz2-7.4.33-150400.4.34.1
php7-calendar-7.4.33-150400.4.34.1
php7-cli-7.4.33-150400.4.34.1
php7-ctype-7.4.33-150400.4.34.1
php7-curl-7.4.33-150400.4.34.1
php7-dba-7.4.33-150400.4.34.1
php7-devel-7.4.33-150400.4.34.1
php7-dom-7.4.33-150400.4.34.1
php7-enchant-7.4.33-150400.4.34.1
php7-exif-7.4.33-150400.4.34.1
php7-fastcgi-7.4.33-150400.4.34.1
php7-fileinfo-7.4.33-150400.4.34.1
php7-fpm-7.4.33-150400.4.34.1
php7-ftp-7.4.33-150400.4.34.1
php7-gd-7.4.33-150400.4.34.1
php7-gettext-7.4.33-150400.4.34.1
php7-gmp-7.4.33-150400.4.34.1
php7-iconv-7.4.33-150400.4.34.1
php7-intl-7.4.33-150400.4.34.1
php7-json-7.4.33-150400.4.34.1
php7-ldap-7.4.33-150400.4.34.1
php7-mbstring-7.4.33-150400.4.34.1
php7-mysql-7.4.33-150400.4.34.1
php7-odbc-7.4.33-150400.4.34.1
php7-opcache-7.4.33-150400.4.34.1
php7-openssl-7.4.33-150400.4.34.1
php7-pcntl-7.4.33-150400.4.34.1
php7-pdo-7.4.33-150400.4.34.1
php7-pgsql-7.4.33-150400.4.34.1
php7-phar-7.4.33-150400.4.34.1
php7-posix-7.4.33-150400.4.34.1
php7-readline-7.4.33-150400.4.34.1
php7-shmop-7.4.33-150400.4.34.1
php7-snmp-7.4.33-150400.4.34.1
php7-soap-7.4.33-150400.4.34.1
php7-sockets-7.4.33-150400.4.34.1
php7-sodium-7.4.33-150400.4.34.1
php7-sqlite-7.4.33-150400.4.34.1
php7-sysvmsg-7.4.33-150400.4.34.1
php7-sysvsem-7.4.33-150400.4.34.1
php7-sysvshm-7.4.33-150400.4.34.1
php7-tidy-7.4.33-150400.4.34.1
php7-tokenizer-7.4.33-150400.4.34.1
php7-xmlreader-7.4.33-150400.4.34.1
php7-xmlrpc-7.4.33-150400.4.34.1
php7-xmlwriter-7.4.33-150400.4.34.1
php7-xsl-7.4.33-150400.4.34.1
php7-zip-7.4.33-150400.4.34.1
php7-zlib-7.4.33-150400.4.34.1
SUSE Linux Enterprise Module for Package Hub 15 SP5
php7-embed-7.4.33-150400.4.34.1
openSUSE Leap 15.5
apache2-mod_php7-7.4.33-150400.4.34.1
php7-7.4.33-150400.4.34.1
php7-bcmath-7.4.33-150400.4.34.1
php7-bz2-7.4.33-150400.4.34.1
php7-calendar-7.4.33-150400.4.34.1
php7-cli-7.4.33-150400.4.34.1
php7-ctype-7.4.33-150400.4.34.1
php7-curl-7.4.33-150400.4.34.1
php7-dba-7.4.33-150400.4.34.1
php7-devel-7.4.33-150400.4.34.1
php7-dom-7.4.33-150400.4.34.1
php7-embed-7.4.33-150400.4.34.1
php7-enchant-7.4.33-150400.4.34.1
php7-exif-7.4.33-150400.4.34.1
php7-fastcgi-7.4.33-150400.4.34.1
php7-fileinfo-7.4.33-150400.4.34.1
php7-fpm-7.4.33-150400.4.34.1
php7-ftp-7.4.33-150400.4.34.1
php7-gd-7.4.33-150400.4.34.1
php7-gettext-7.4.33-150400.4.34.1
php7-gmp-7.4.33-150400.4.34.1
php7-iconv-7.4.33-150400.4.34.1
php7-intl-7.4.33-150400.4.34.1
php7-json-7.4.33-150400.4.34.1
php7-ldap-7.4.33-150400.4.34.1
php7-mbstring-7.4.33-150400.4.34.1
php7-mysql-7.4.33-150400.4.34.1
php7-odbc-7.4.33-150400.4.34.1
php7-opcache-7.4.33-150400.4.34.1
php7-openssl-7.4.33-150400.4.34.1
php7-pcntl-7.4.33-150400.4.34.1
php7-pdo-7.4.33-150400.4.34.1
php7-pgsql-7.4.33-150400.4.34.1
php7-phar-7.4.33-150400.4.34.1
php7-posix-7.4.33-150400.4.34.1
php7-readline-7.4.33-150400.4.34.1
php7-shmop-7.4.33-150400.4.34.1
php7-snmp-7.4.33-150400.4.34.1
php7-soap-7.4.33-150400.4.34.1
php7-sockets-7.4.33-150400.4.34.1
php7-sodium-7.4.33-150400.4.34.1
php7-sqlite-7.4.33-150400.4.34.1
php7-sysvmsg-7.4.33-150400.4.34.1
php7-sysvsem-7.4.33-150400.4.34.1
php7-sysvshm-7.4.33-150400.4.34.1
php7-test-7.4.33-150400.4.34.1
php7-tidy-7.4.33-150400.4.34.1
php7-tokenizer-7.4.33-150400.4.34.1
php7-xmlreader-7.4.33-150400.4.34.1
php7-xmlrpc-7.4.33-150400.4.34.1
php7-xmlwriter-7.4.33-150400.4.34.1
php7-xsl-7.4.33-150400.4.34.1
php7-zip-7.4.33-150400.4.34.1
php7-zlib-7.4.33-150400.4.34.1
Ссылки
- Link for SUSE-SU-2024:1444-1
- E-Mail link for SUSE-SU-2024:1444-1
- SUSE Security Ratings
- SUSE Bug 1222857
- SUSE Bug 1222858
- SUSE CVE CVE-2024-2756 page
- SUSE CVE CVE-2024-3096 page
Описание
Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a __Host- or __Secure- cookie by PHP applications.
Затронутые продукты
SUSE Linux Enterprise Module for Legacy 15 SP5:apache2-mod_php7-7.4.33-150400.4.34.1
SUSE Linux Enterprise Module for Legacy 15 SP5:php7-7.4.33-150400.4.34.1
SUSE Linux Enterprise Module for Legacy 15 SP5:php7-bcmath-7.4.33-150400.4.34.1
SUSE Linux Enterprise Module for Legacy 15 SP5:php7-bz2-7.4.33-150400.4.34.1
Ссылки
- CVE-2024-2756
- SUSE Bug 1222857
Описание
In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true.
Затронутые продукты
SUSE Linux Enterprise Module for Legacy 15 SP5:apache2-mod_php7-7.4.33-150400.4.34.1
SUSE Linux Enterprise Module for Legacy 15 SP5:php7-7.4.33-150400.4.34.1
SUSE Linux Enterprise Module for Legacy 15 SP5:php7-bcmath-7.4.33-150400.4.34.1
SUSE Linux Enterprise Module for Legacy 15 SP5:php7-bz2-7.4.33-150400.4.34.1
Ссылки
- CVE-2024-3096
- SUSE Bug 1222858