Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

openSUSE-SU-2021:3943-1

Опубликовано: 06 дек. 2021
Источник: suse-cvrf

Описание

Recommended update for php7

This update for php7 fixes the following issues:

  • CVE-2021-21703: Fixed local privilege escalation via PHP-FPM (bsc#1192050).

  • CVE-2021-21707: Fixed special character breaks path in xml parsing (bsc#1193041).

  • Added patch to prevent memory access violation in php7 when running test suite (bsc#1175508)

Список пакетов

openSUSE Leap 15.3
apache2-mod_php7-7.4.6-3.29.1
php7-7.4.6-3.29.1
php7-bcmath-7.4.6-3.29.1
php7-bz2-7.4.6-3.29.1
php7-calendar-7.4.6-3.29.1
php7-ctype-7.4.6-3.29.1
php7-curl-7.4.6-3.29.1
php7-dba-7.4.6-3.29.1
php7-devel-7.4.6-3.29.1
php7-dom-7.4.6-3.29.1
php7-embed-7.4.6-3.29.1
php7-enchant-7.4.6-3.29.1
php7-exif-7.4.6-3.29.1
php7-fastcgi-7.4.6-3.29.1
php7-fileinfo-7.4.6-3.29.1
php7-firebird-7.4.6-3.29.1
php7-fpm-7.4.6-3.29.1
php7-ftp-7.4.6-3.29.1
php7-gd-7.4.6-3.29.1
php7-gettext-7.4.6-3.29.1
php7-gmp-7.4.6-3.29.1
php7-iconv-7.4.6-3.29.1
php7-intl-7.4.6-3.29.1
php7-json-7.4.6-3.29.1
php7-ldap-7.4.6-3.29.1
php7-mbstring-7.4.6-3.29.1
php7-mysql-7.4.6-3.29.1
php7-odbc-7.4.6-3.29.1
php7-opcache-7.4.6-3.29.1
php7-openssl-7.4.6-3.29.1
php7-pcntl-7.4.6-3.29.1
php7-pdo-7.4.6-3.29.1
php7-pgsql-7.4.6-3.29.1
php7-phar-7.4.6-3.29.1
php7-posix-7.4.6-3.29.1
php7-readline-7.4.6-3.29.1
php7-shmop-7.4.6-3.29.1
php7-snmp-7.4.6-3.29.1
php7-soap-7.4.6-3.29.1
php7-sockets-7.4.6-3.29.1
php7-sodium-7.4.6-3.29.1
php7-sqlite-7.4.6-3.29.1
php7-sysvmsg-7.4.6-3.29.1
php7-sysvsem-7.4.6-3.29.1
php7-sysvshm-7.4.6-3.29.1
php7-test-7.4.6-3.29.1
php7-tidy-7.4.6-3.29.1
php7-tokenizer-7.4.6-3.29.1
php7-xmlreader-7.4.6-3.29.1
php7-xmlrpc-7.4.6-3.29.1
php7-xmlwriter-7.4.6-3.29.1
php7-xsl-7.4.6-3.29.1
php7-zip-7.4.6-3.29.1
php7-zlib-7.4.6-3.29.1

Ссылки

Описание

In PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12, when running PHP FPM SAPI with main FPM daemon process running as root and child worker processes running as lower-privileged users, it is possible for the child processes to access memory shared with the main process and write to it, modifying it in a way that would cause the root process to conduct invalid memory reads and writes, which can be used to escalate privileges from local unprivileged user to the root user.

Затронутые продукты
openSUSE Leap 15.3:apache2-mod_php7-7.4.6-3.29.1
openSUSE Leap 15.3:php7-7.4.6-3.29.1
openSUSE Leap 15.3:php7-bcmath-7.4.6-3.29.1
openSUSE Leap 15.3:php7-bz2-7.4.6-3.29.1
Ссылки

Описание

In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexml_load_file(), URL-decode the filename passed to them. If that filename contains URL-encoded NUL character, this may cause the function to interpret this as the end of the filename, thus interpreting the filename differently from what the user intended, which may lead it to reading a different file than intended.

Затронутые продукты
openSUSE Leap 15.3:apache2-mod_php7-7.4.6-3.29.1
openSUSE Leap 15.3:php7-7.4.6-3.29.1
openSUSE Leap 15.3:php7-bcmath-7.4.6-3.29.1
openSUSE Leap 15.3:php7-bz2-7.4.6-3.29.1
Ссылки