Описание
Security update for php8
This update for php8 fixes the following issues:
Version update to 8.2.29:
- CVE-2025-1220: Fixed null byte termination in hostnames (bsc#1246167)
- CVE-2025-1735: Fixed pgsql extension does not check for errors during escaping (bsc#1246146)
- CVE-2025-6491: Fixed NULL Pointer Dereference in PHP SOAP Extension via Large XML Namespace Prefix (bsc#1246148)
Список пакетов
SUSE Linux Enterprise Module for Web and Scripting 15 SP6
openSUSE Leap 15.6
Ссылки
- Link for SUSE-SU-2025:02474-1
- E-Mail link for SUSE-SU-2025:02474-1
- SUSE Security Ratings
- SUSE Bug 1246146
- SUSE Bug 1246148
- SUSE Bug 1246167
- SUSE CVE CVE-2025-1220 page
- SUSE CVE CVE-2025-1735 page
- SUSE CVE CVE-2025-6491 page
Описание
In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 some functions like fsockopen() lack validation that the hostname supplied does not contain null characters. This may lead to other functions like parse_url() treat the hostname in different way, thus opening way to security problems if the user code implements access checks before access using such functions.
Затронутые продукты
Ссылки
- CVE-2025-1220
- SUSE Bug 1246167
Описание
In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* pgsql and pdo_pgsql escaping functions do not check if the underlying quoting functions returned errors. This could cause crashes if Postgres server rejects the string as invalid.
Затронутые продукты
Ссылки
- CVE-2025-1735
- SUSE Bug 1246146
Описание
In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 when parsing XML data in SOAP extensions, overly large (>2Gb) XML namespace prefix may lead to null pointer dereference. This may lead to crashes and affect the availability of the target server.
Затронутые продукты
Ссылки
- CVE-2025-6491
- SUSE Bug 1246148