SUSE-SU-2024:3733-1

Опубликовано: 18 окт. 2024

Источник: suse-cvrf

Описание

Security update for php7

This update for php7 fixes the following issues:

CVE-2024-8925: Fixed erroneous parsing of multipart form data in HTTP POST requests leads to legitimate data not being processed (bsc#1231360)
CVE-2024-8927: Fixed cgi.force_redirect configuration is bypassable due to an environment variable collision (bsc#1231358)
CVE-2024-9026: Fixed pollution of worker output logs in PHP-FPM (bsc#1231382)

Список пакетов

SUSE Linux Enterprise Module for Legacy 15 SP5

apache2-mod_php7-7.4.33-150400.4.40.1

php7-7.4.33-150400.4.40.1

php7-bcmath-7.4.33-150400.4.40.1

php7-bz2-7.4.33-150400.4.40.1

php7-calendar-7.4.33-150400.4.40.1

php7-cli-7.4.33-150400.4.40.1

php7-ctype-7.4.33-150400.4.40.1

php7-curl-7.4.33-150400.4.40.1

php7-dba-7.4.33-150400.4.40.1

php7-devel-7.4.33-150400.4.40.1

php7-dom-7.4.33-150400.4.40.1

php7-enchant-7.4.33-150400.4.40.1

php7-exif-7.4.33-150400.4.40.1

php7-fastcgi-7.4.33-150400.4.40.1

php7-fileinfo-7.4.33-150400.4.40.1

php7-fpm-7.4.33-150400.4.40.1

php7-ftp-7.4.33-150400.4.40.1

php7-gd-7.4.33-150400.4.40.1

php7-gettext-7.4.33-150400.4.40.1

php7-gmp-7.4.33-150400.4.40.1

php7-iconv-7.4.33-150400.4.40.1

php7-intl-7.4.33-150400.4.40.1

php7-json-7.4.33-150400.4.40.1

php7-ldap-7.4.33-150400.4.40.1

php7-mbstring-7.4.33-150400.4.40.1

php7-mysql-7.4.33-150400.4.40.1

php7-odbc-7.4.33-150400.4.40.1

php7-opcache-7.4.33-150400.4.40.1

php7-openssl-7.4.33-150400.4.40.1

php7-pcntl-7.4.33-150400.4.40.1

php7-pdo-7.4.33-150400.4.40.1

php7-pgsql-7.4.33-150400.4.40.1

php7-phar-7.4.33-150400.4.40.1

php7-posix-7.4.33-150400.4.40.1

php7-readline-7.4.33-150400.4.40.1

php7-shmop-7.4.33-150400.4.40.1

php7-snmp-7.4.33-150400.4.40.1

php7-soap-7.4.33-150400.4.40.1

php7-sockets-7.4.33-150400.4.40.1

php7-sodium-7.4.33-150400.4.40.1

php7-sqlite-7.4.33-150400.4.40.1

php7-sysvmsg-7.4.33-150400.4.40.1

php7-sysvsem-7.4.33-150400.4.40.1

php7-sysvshm-7.4.33-150400.4.40.1

php7-tidy-7.4.33-150400.4.40.1

php7-tokenizer-7.4.33-150400.4.40.1

php7-xmlreader-7.4.33-150400.4.40.1

php7-xmlrpc-7.4.33-150400.4.40.1

php7-xmlwriter-7.4.33-150400.4.40.1

php7-xsl-7.4.33-150400.4.40.1

php7-zip-7.4.33-150400.4.40.1

php7-zlib-7.4.33-150400.4.40.1

SUSE Linux Enterprise Module for Legacy 15 SP6

apache2-mod_php7-7.4.33-150400.4.40.1

php7-7.4.33-150400.4.40.1

php7-bcmath-7.4.33-150400.4.40.1

php7-bz2-7.4.33-150400.4.40.1

php7-calendar-7.4.33-150400.4.40.1

php7-cli-7.4.33-150400.4.40.1

php7-ctype-7.4.33-150400.4.40.1

php7-curl-7.4.33-150400.4.40.1

php7-dba-7.4.33-150400.4.40.1

php7-devel-7.4.33-150400.4.40.1

php7-dom-7.4.33-150400.4.40.1

php7-enchant-7.4.33-150400.4.40.1

php7-exif-7.4.33-150400.4.40.1

php7-fastcgi-7.4.33-150400.4.40.1

php7-fileinfo-7.4.33-150400.4.40.1

php7-fpm-7.4.33-150400.4.40.1

php7-ftp-7.4.33-150400.4.40.1

php7-gd-7.4.33-150400.4.40.1

php7-gettext-7.4.33-150400.4.40.1

php7-gmp-7.4.33-150400.4.40.1

php7-iconv-7.4.33-150400.4.40.1

php7-intl-7.4.33-150400.4.40.1

php7-json-7.4.33-150400.4.40.1

php7-ldap-7.4.33-150400.4.40.1

php7-mbstring-7.4.33-150400.4.40.1

php7-mysql-7.4.33-150400.4.40.1

php7-odbc-7.4.33-150400.4.40.1

php7-opcache-7.4.33-150400.4.40.1

php7-openssl-7.4.33-150400.4.40.1

php7-pcntl-7.4.33-150400.4.40.1

php7-pdo-7.4.33-150400.4.40.1

php7-pgsql-7.4.33-150400.4.40.1

php7-phar-7.4.33-150400.4.40.1

php7-posix-7.4.33-150400.4.40.1

php7-readline-7.4.33-150400.4.40.1

php7-shmop-7.4.33-150400.4.40.1

php7-snmp-7.4.33-150400.4.40.1

php7-soap-7.4.33-150400.4.40.1

php7-sockets-7.4.33-150400.4.40.1

php7-sodium-7.4.33-150400.4.40.1

php7-sqlite-7.4.33-150400.4.40.1

php7-sysvmsg-7.4.33-150400.4.40.1

php7-sysvsem-7.4.33-150400.4.40.1

php7-sysvshm-7.4.33-150400.4.40.1

php7-tidy-7.4.33-150400.4.40.1

php7-tokenizer-7.4.33-150400.4.40.1

php7-xmlreader-7.4.33-150400.4.40.1

php7-xmlrpc-7.4.33-150400.4.40.1

php7-xmlwriter-7.4.33-150400.4.40.1

php7-xsl-7.4.33-150400.4.40.1

php7-zip-7.4.33-150400.4.40.1

php7-zlib-7.4.33-150400.4.40.1

SUSE Linux Enterprise Module for Package Hub 15 SP5

php7-embed-7.4.33-150400.4.40.1

SUSE Linux Enterprise Module for Package Hub 15 SP6

php7-embed-7.4.33-150400.4.40.1

openSUSE Leap 15.5

apache2-mod_php7-7.4.33-150400.4.40.1

php7-7.4.33-150400.4.40.1

php7-bcmath-7.4.33-150400.4.40.1

php7-bz2-7.4.33-150400.4.40.1

php7-calendar-7.4.33-150400.4.40.1

php7-cli-7.4.33-150400.4.40.1

php7-ctype-7.4.33-150400.4.40.1

php7-curl-7.4.33-150400.4.40.1

php7-dba-7.4.33-150400.4.40.1

php7-devel-7.4.33-150400.4.40.1

php7-dom-7.4.33-150400.4.40.1

php7-embed-7.4.33-150400.4.40.1

php7-enchant-7.4.33-150400.4.40.1

php7-exif-7.4.33-150400.4.40.1

php7-fastcgi-7.4.33-150400.4.40.1

php7-fileinfo-7.4.33-150400.4.40.1

php7-fpm-7.4.33-150400.4.40.1

php7-ftp-7.4.33-150400.4.40.1

php7-gd-7.4.33-150400.4.40.1

php7-gettext-7.4.33-150400.4.40.1

php7-gmp-7.4.33-150400.4.40.1

php7-iconv-7.4.33-150400.4.40.1

php7-intl-7.4.33-150400.4.40.1

php7-json-7.4.33-150400.4.40.1

php7-ldap-7.4.33-150400.4.40.1

php7-mbstring-7.4.33-150400.4.40.1

php7-mysql-7.4.33-150400.4.40.1

php7-odbc-7.4.33-150400.4.40.1

php7-opcache-7.4.33-150400.4.40.1

php7-openssl-7.4.33-150400.4.40.1

php7-pcntl-7.4.33-150400.4.40.1

php7-pdo-7.4.33-150400.4.40.1

php7-pgsql-7.4.33-150400.4.40.1

php7-phar-7.4.33-150400.4.40.1

php7-posix-7.4.33-150400.4.40.1

php7-readline-7.4.33-150400.4.40.1

php7-shmop-7.4.33-150400.4.40.1

php7-snmp-7.4.33-150400.4.40.1

php7-soap-7.4.33-150400.4.40.1

php7-sockets-7.4.33-150400.4.40.1

php7-sodium-7.4.33-150400.4.40.1

php7-sqlite-7.4.33-150400.4.40.1

php7-sysvmsg-7.4.33-150400.4.40.1

php7-sysvsem-7.4.33-150400.4.40.1

php7-sysvshm-7.4.33-150400.4.40.1

php7-test-7.4.33-150400.4.40.1

php7-tidy-7.4.33-150400.4.40.1

php7-tokenizer-7.4.33-150400.4.40.1

php7-xmlreader-7.4.33-150400.4.40.1

php7-xmlrpc-7.4.33-150400.4.40.1

php7-xmlwriter-7.4.33-150400.4.40.1

php7-xsl-7.4.33-150400.4.40.1

php7-zip-7.4.33-150400.4.40.1

php7-zlib-7.4.33-150400.4.40.1

openSUSE Leap 15.6

apache2-mod_php7-7.4.33-150400.4.40.1

php7-7.4.33-150400.4.40.1

php7-bcmath-7.4.33-150400.4.40.1

php7-bz2-7.4.33-150400.4.40.1

php7-calendar-7.4.33-150400.4.40.1

php7-cli-7.4.33-150400.4.40.1

php7-ctype-7.4.33-150400.4.40.1

php7-curl-7.4.33-150400.4.40.1

php7-dba-7.4.33-150400.4.40.1

php7-devel-7.4.33-150400.4.40.1

php7-dom-7.4.33-150400.4.40.1

php7-embed-7.4.33-150400.4.40.1

php7-enchant-7.4.33-150400.4.40.1

php7-exif-7.4.33-150400.4.40.1

php7-fastcgi-7.4.33-150400.4.40.1

php7-fileinfo-7.4.33-150400.4.40.1

php7-fpm-7.4.33-150400.4.40.1

php7-ftp-7.4.33-150400.4.40.1

php7-gd-7.4.33-150400.4.40.1

php7-gettext-7.4.33-150400.4.40.1

php7-gmp-7.4.33-150400.4.40.1

php7-iconv-7.4.33-150400.4.40.1

php7-intl-7.4.33-150400.4.40.1

php7-json-7.4.33-150400.4.40.1

php7-ldap-7.4.33-150400.4.40.1

php7-mbstring-7.4.33-150400.4.40.1

php7-mysql-7.4.33-150400.4.40.1

php7-odbc-7.4.33-150400.4.40.1

php7-opcache-7.4.33-150400.4.40.1

php7-openssl-7.4.33-150400.4.40.1

php7-pcntl-7.4.33-150400.4.40.1

php7-pdo-7.4.33-150400.4.40.1

php7-pgsql-7.4.33-150400.4.40.1

php7-phar-7.4.33-150400.4.40.1

php7-posix-7.4.33-150400.4.40.1

php7-readline-7.4.33-150400.4.40.1

php7-shmop-7.4.33-150400.4.40.1

php7-snmp-7.4.33-150400.4.40.1

php7-soap-7.4.33-150400.4.40.1

php7-sockets-7.4.33-150400.4.40.1

php7-sodium-7.4.33-150400.4.40.1

php7-sqlite-7.4.33-150400.4.40.1

php7-sysvmsg-7.4.33-150400.4.40.1

php7-sysvsem-7.4.33-150400.4.40.1

php7-sysvshm-7.4.33-150400.4.40.1

php7-test-7.4.33-150400.4.40.1

php7-tidy-7.4.33-150400.4.40.1

php7-tokenizer-7.4.33-150400.4.40.1

php7-xmlreader-7.4.33-150400.4.40.1

php7-xmlrpc-7.4.33-150400.4.40.1

php7-xmlwriter-7.4.33-150400.4.40.1

php7-xsl-7.4.33-150400.4.40.1

php7-zip-7.4.33-150400.4.40.1

php7-zlib-7.4.33-150400.4.40.1

Ссылки

https://www.suse.com/support/update/announcement/2024/suse-su-20243733-1/
Link for SUSE-SU-2024:3733-1
https://lists.suse.com/pipermail/sle-security-updates/2024-October/019658.html
E-Mail link for SUSE-SU-2024:3733-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1231358
SUSE Bug 1231358
https://bugzilla.suse.com/1231360
SUSE Bug 1231360
https://bugzilla.suse.com/1231382
SUSE Bug 1231382
https://www.suse.com/security/cve/CVE-2024-8925/
SUSE CVE CVE-2024-8925 page
https://www.suse.com/security/cve/CVE-2024-8927/
SUSE CVE CVE-2024-8927 page
https://www.suse.com/security/cve/CVE-2024-9026/
SUSE CVE CVE-2024-9026 page

Описание

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, erroneous parsing of multipart form data contained in an HTTP POST request could lead to legitimate data not being processed. This could lead to malicious attacker able to control part of the submitted data being able to exclude portion of other data, potentially leading to erroneous application behavior.

Затронутые продукты

SUSE Linux Enterprise Module for Legacy 15 SP5:apache2-mod_php7-7.4.33-150400.4.40.1

SUSE Linux Enterprise Module for Legacy 15 SP5:php7-7.4.33-150400.4.40.1

SUSE Linux Enterprise Module for Legacy 15 SP5:php7-bcmath-7.4.33-150400.4.40.1

SUSE Linux Enterprise Module for Legacy 15 SP5:php7-bz2-7.4.33-150400.4.40.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-8925.html
CVE-2024-8925
https://bugzilla.suse.com/1231360
SUSE Bug 1231360

Описание

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, HTTP_REDIRECT_STATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this variable can be controlled by the request submitter via HTTP headers, which can lead to cgi.force_redirect option not being correctly applied. In certain configurations this may lead to arbitrary file inclusion in PHP.

Затронутые продукты

SUSE Linux Enterprise Module for Legacy 15 SP5:apache2-mod_php7-7.4.33-150400.4.40.1

SUSE Linux Enterprise Module for Legacy 15 SP5:php7-7.4.33-150400.4.40.1

SUSE Linux Enterprise Module for Legacy 15 SP5:php7-bcmath-7.4.33-150400.4.40.1

SUSE Linux Enterprise Module for Legacy 15 SP5:php7-bz2-7.4.33-150400.4.40.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-8927.html
CVE-2024-8927
https://bugzilla.suse.com/1231358
SUSE Bug 1231358

Описание

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 characters from the log messages by manipulating log message content. Additionally, if PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability.

Затронутые продукты

SUSE Linux Enterprise Module for Legacy 15 SP5:apache2-mod_php7-7.4.33-150400.4.40.1

SUSE Linux Enterprise Module for Legacy 15 SP5:php7-7.4.33-150400.4.40.1

SUSE Linux Enterprise Module for Legacy 15 SP5:php7-bcmath-7.4.33-150400.4.40.1

SUSE Linux Enterprise Module for Legacy 15 SP5:php7-bz2-7.4.33-150400.4.40.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-9026.html
CVE-2024-9026
https://bugzilla.suse.com/1231382
SUSE Bug 1231382

SUSE-SU-2024:3733-1

Описание

Список пакетов

SUSE Linux Enterprise Module for Legacy 15 SP5

SUSE Linux Enterprise Module for Legacy 15 SP6

SUSE Linux Enterprise Module for Package Hub 15 SP5

SUSE Linux Enterprise Module for Package Hub 15 SP6

openSUSE Leap 15.5

openSUSE Leap 15.6

Ссылки

Уязвимость: CVE-2024-8925

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2024-8927

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2024-9026

Описание

Затронутые продукты

Ссылки