Описание
Security update for php8
This update for php8 fixes the following issues:
- CVE-2024-2756: Fixed bypass of security fix applied for CVE-2022-31629 that lead PHP to consider not secure cookies as secure (bsc#1222857)
- CVE-2024-3096: Fixed bypass on null byte leading passwords checked via password_verify (bsc#1222858)
Список пакетов
Container bci/php-apache:latest
apache2-mod_php8-8.0.30-150400.4.40.1
php8-8.0.30-150400.4.40.1
php8-cli-8.0.30-150400.4.40.1
php8-curl-8.0.30-150400.4.40.1
php8-mbstring-8.0.30-150400.4.40.1
php8-openssl-8.0.30-150400.4.40.1
php8-phar-8.0.30-150400.4.40.1
php8-zip-8.0.30-150400.4.40.1
php8-zlib-8.0.30-150400.4.40.1
Container bci/php-fpm:latest
php8-8.0.30-150400.4.40.1
php8-cli-8.0.30-150400.4.40.1
php8-curl-8.0.30-150400.4.40.1
php8-fpm-8.0.30-150400.4.40.1
php8-mbstring-8.0.30-150400.4.40.1
php8-openssl-8.0.30-150400.4.40.1
php8-phar-8.0.30-150400.4.40.1
php8-zip-8.0.30-150400.4.40.1
php8-zlib-8.0.30-150400.4.40.1
Container bci/php:latest
php8-8.0.30-150400.4.40.1
php8-cli-8.0.30-150400.4.40.1
php8-curl-8.0.30-150400.4.40.1
php8-mbstring-8.0.30-150400.4.40.1
php8-openssl-8.0.30-150400.4.40.1
php8-phar-8.0.30-150400.4.40.1
php8-readline-8.0.30-150400.4.40.1
php8-zip-8.0.30-150400.4.40.1
php8-zlib-8.0.30-150400.4.40.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP5
apache2-mod_php8-8.0.30-150400.4.40.1
php8-8.0.30-150400.4.40.1
php8-bcmath-8.0.30-150400.4.40.1
php8-bz2-8.0.30-150400.4.40.1
php8-calendar-8.0.30-150400.4.40.1
php8-cli-8.0.30-150400.4.40.1
php8-ctype-8.0.30-150400.4.40.1
php8-curl-8.0.30-150400.4.40.1
php8-dba-8.0.30-150400.4.40.1
php8-devel-8.0.30-150400.4.40.1
php8-dom-8.0.30-150400.4.40.1
php8-embed-8.0.30-150400.4.40.1
php8-enchant-8.0.30-150400.4.40.1
php8-exif-8.0.30-150400.4.40.1
php8-fastcgi-8.0.30-150400.4.40.1
php8-fileinfo-8.0.30-150400.4.40.1
php8-fpm-8.0.30-150400.4.40.1
php8-ftp-8.0.30-150400.4.40.1
php8-gd-8.0.30-150400.4.40.1
php8-gettext-8.0.30-150400.4.40.1
php8-gmp-8.0.30-150400.4.40.1
php8-iconv-8.0.30-150400.4.40.1
php8-intl-8.0.30-150400.4.40.1
php8-ldap-8.0.30-150400.4.40.1
php8-mbstring-8.0.30-150400.4.40.1
php8-mysql-8.0.30-150400.4.40.1
php8-odbc-8.0.30-150400.4.40.1
php8-opcache-8.0.30-150400.4.40.1
php8-openssl-8.0.30-150400.4.40.1
php8-pcntl-8.0.30-150400.4.40.1
php8-pdo-8.0.30-150400.4.40.1
php8-pgsql-8.0.30-150400.4.40.1
php8-phar-8.0.30-150400.4.40.1
php8-posix-8.0.30-150400.4.40.1
php8-readline-8.0.30-150400.4.40.1
php8-shmop-8.0.30-150400.4.40.1
php8-snmp-8.0.30-150400.4.40.1
php8-soap-8.0.30-150400.4.40.1
php8-sockets-8.0.30-150400.4.40.1
php8-sodium-8.0.30-150400.4.40.1
php8-sqlite-8.0.30-150400.4.40.1
php8-sysvmsg-8.0.30-150400.4.40.1
php8-sysvsem-8.0.30-150400.4.40.1
php8-sysvshm-8.0.30-150400.4.40.1
php8-test-8.0.30-150400.4.40.1
php8-tidy-8.0.30-150400.4.40.1
php8-tokenizer-8.0.30-150400.4.40.1
php8-xmlreader-8.0.30-150400.4.40.1
php8-xmlwriter-8.0.30-150400.4.40.1
php8-xsl-8.0.30-150400.4.40.1
php8-zip-8.0.30-150400.4.40.1
php8-zlib-8.0.30-150400.4.40.1
openSUSE Leap 15.5
apache2-mod_php8-8.0.30-150400.4.40.1
php8-8.0.30-150400.4.40.1
php8-bcmath-8.0.30-150400.4.40.1
php8-bz2-8.0.30-150400.4.40.1
php8-calendar-8.0.30-150400.4.40.1
php8-cli-8.0.30-150400.4.40.1
php8-ctype-8.0.30-150400.4.40.1
php8-curl-8.0.30-150400.4.40.1
php8-dba-8.0.30-150400.4.40.1
php8-devel-8.0.30-150400.4.40.1
php8-dom-8.0.30-150400.4.40.1
php8-embed-8.0.30-150400.4.40.1
php8-enchant-8.0.30-150400.4.40.1
php8-exif-8.0.30-150400.4.40.1
php8-fastcgi-8.0.30-150400.4.40.1
php8-fileinfo-8.0.30-150400.4.40.1
php8-fpm-8.0.30-150400.4.40.1
php8-ftp-8.0.30-150400.4.40.1
php8-gd-8.0.30-150400.4.40.1
php8-gettext-8.0.30-150400.4.40.1
php8-gmp-8.0.30-150400.4.40.1
php8-iconv-8.0.30-150400.4.40.1
php8-intl-8.0.30-150400.4.40.1
php8-ldap-8.0.30-150400.4.40.1
php8-mbstring-8.0.30-150400.4.40.1
php8-mysql-8.0.30-150400.4.40.1
php8-odbc-8.0.30-150400.4.40.1
php8-opcache-8.0.30-150400.4.40.1
php8-openssl-8.0.30-150400.4.40.1
php8-pcntl-8.0.30-150400.4.40.1
php8-pdo-8.0.30-150400.4.40.1
php8-pgsql-8.0.30-150400.4.40.1
php8-phar-8.0.30-150400.4.40.1
php8-posix-8.0.30-150400.4.40.1
php8-readline-8.0.30-150400.4.40.1
php8-shmop-8.0.30-150400.4.40.1
php8-snmp-8.0.30-150400.4.40.1
php8-soap-8.0.30-150400.4.40.1
php8-sockets-8.0.30-150400.4.40.1
php8-sodium-8.0.30-150400.4.40.1
php8-sqlite-8.0.30-150400.4.40.1
php8-sysvmsg-8.0.30-150400.4.40.1
php8-sysvsem-8.0.30-150400.4.40.1
php8-sysvshm-8.0.30-150400.4.40.1
php8-test-8.0.30-150400.4.40.1
php8-tidy-8.0.30-150400.4.40.1
php8-tokenizer-8.0.30-150400.4.40.1
php8-xmlreader-8.0.30-150400.4.40.1
php8-xmlwriter-8.0.30-150400.4.40.1
php8-xsl-8.0.30-150400.4.40.1
php8-zip-8.0.30-150400.4.40.1
php8-zlib-8.0.30-150400.4.40.1
Ссылки
- Link for SUSE-SU-2024:1446-1
- E-Mail link for SUSE-SU-2024:1446-1
- SUSE Security Ratings
- SUSE Bug 1222857
- SUSE Bug 1222858
- SUSE CVE CVE-2024-2756 page
- SUSE CVE CVE-2024-3096 page
Описание
Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a __Host- or __Secure- cookie by PHP applications.
Затронутые продукты
Container bci/php-apache:latest:apache2-mod_php8-8.0.30-150400.4.40.1
Container bci/php-apache:latest:php8-8.0.30-150400.4.40.1
Container bci/php-apache:latest:php8-cli-8.0.30-150400.4.40.1
Container bci/php-apache:latest:php8-curl-8.0.30-150400.4.40.1
Ссылки
- CVE-2024-2756
- SUSE Bug 1222857
Описание
In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true.
Затронутые продукты
Container bci/php-apache:latest:apache2-mod_php8-8.0.30-150400.4.40.1
Container bci/php-apache:latest:php8-8.0.30-150400.4.40.1
Container bci/php-apache:latest:php8-cli-8.0.30-150400.4.40.1
Container bci/php-apache:latest:php8-curl-8.0.30-150400.4.40.1
Ссылки
- CVE-2024-3096
- SUSE Bug 1222858