Описание
Security update for php74
This update for php74 fixes the following issues:
- CVE-2024-2756: Fixed bypass of security fix applied for CVE-2022-31629 that lead PHP to consider not secure cookies as secure (bsc#1222857)
- CVE-2024-3096: Fixed bypass on null byte leading passwords checked via password_verify (bsc#1222858)
Список пакетов
SUSE Linux Enterprise Module for Web and Scripting 12
apache2-mod_php74-7.4.33-1.65.1
php74-7.4.33-1.65.1
php74-bcmath-7.4.33-1.65.1
php74-bz2-7.4.33-1.65.1
php74-calendar-7.4.33-1.65.1
php74-ctype-7.4.33-1.65.1
php74-curl-7.4.33-1.65.1
php74-dba-7.4.33-1.65.1
php74-dom-7.4.33-1.65.1
php74-enchant-7.4.33-1.65.1
php74-exif-7.4.33-1.65.1
php74-fastcgi-7.4.33-1.65.1
php74-fileinfo-7.4.33-1.65.1
php74-fpm-7.4.33-1.65.1
php74-ftp-7.4.33-1.65.1
php74-gd-7.4.33-1.65.1
php74-gettext-7.4.33-1.65.1
php74-gmp-7.4.33-1.65.1
php74-iconv-7.4.33-1.65.1
php74-intl-7.4.33-1.65.1
php74-json-7.4.33-1.65.1
php74-ldap-7.4.33-1.65.1
php74-mbstring-7.4.33-1.65.1
php74-mysql-7.4.33-1.65.1
php74-odbc-7.4.33-1.65.1
php74-opcache-7.4.33-1.65.1
php74-openssl-7.4.33-1.65.1
php74-pcntl-7.4.33-1.65.1
php74-pdo-7.4.33-1.65.1
php74-pgsql-7.4.33-1.65.1
php74-phar-7.4.33-1.65.1
php74-posix-7.4.33-1.65.1
php74-readline-7.4.33-1.65.1
php74-shmop-7.4.33-1.65.1
php74-snmp-7.4.33-1.65.1
php74-soap-7.4.33-1.65.1
php74-sockets-7.4.33-1.65.1
php74-sodium-7.4.33-1.65.1
php74-sqlite-7.4.33-1.65.1
php74-sysvmsg-7.4.33-1.65.1
php74-sysvsem-7.4.33-1.65.1
php74-sysvshm-7.4.33-1.65.1
php74-tidy-7.4.33-1.65.1
php74-tokenizer-7.4.33-1.65.1
php74-xmlreader-7.4.33-1.65.1
php74-xmlrpc-7.4.33-1.65.1
php74-xmlwriter-7.4.33-1.65.1
php74-xsl-7.4.33-1.65.1
php74-zip-7.4.33-1.65.1
php74-zlib-7.4.33-1.65.1
SUSE Linux Enterprise Software Development Kit 12 SP5
php74-devel-7.4.33-1.65.1
Ссылки
- Link for SUSE-SU-2024:1445-1
- E-Mail link for SUSE-SU-2024:1445-1
- SUSE Security Ratings
- SUSE Bug 1222857
- SUSE Bug 1222858
- SUSE CVE CVE-2024-2756 page
- SUSE CVE CVE-2024-3096 page
Описание
Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a __Host- or __Secure- cookie by PHP applications.
Затронутые продукты
SUSE Linux Enterprise Module for Web and Scripting 12:apache2-mod_php74-7.4.33-1.65.1
SUSE Linux Enterprise Module for Web and Scripting 12:php74-7.4.33-1.65.1
SUSE Linux Enterprise Module for Web and Scripting 12:php74-bcmath-7.4.33-1.65.1
SUSE Linux Enterprise Module for Web and Scripting 12:php74-bz2-7.4.33-1.65.1
Ссылки
- CVE-2024-2756
- SUSE Bug 1222857
Описание
In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true.
Затронутые продукты
SUSE Linux Enterprise Module for Web and Scripting 12:apache2-mod_php74-7.4.33-1.65.1
SUSE Linux Enterprise Module for Web and Scripting 12:php74-7.4.33-1.65.1
SUSE Linux Enterprise Module for Web and Scripting 12:php74-bcmath-7.4.33-1.65.1
SUSE Linux Enterprise Module for Web and Scripting 12:php74-bz2-7.4.33-1.65.1
Ссылки
- CVE-2024-3096
- SUSE Bug 1222858