------------------------------------------------------------------------- Debian LTS Advisory DLA-3345-1 [email protected] https://www.debian.org/lts/security/ Guilhem Moulin February 26, 2023 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : php7.3 Version : 7.3.31-1~deb10u3 CVE ID : CVE-2022-31631 CVE-2023-0567 CVE-2023-0568 CVE-2023-0662 Debian Bug : 1031368 Multiple security issues were found in PHP, a widely-used open source general purpose scripting language, which could result in denial of service or incorrect validation of BCrypt hashes. CVE-2022-31631 Due to an uncaught integer overflow, `PDO::quote()` of PDO_SQLite may return an improperly quoted string. The exact details likely depend on the implementation of `sqlite3_snprintf()`, but with some versions it is possible to force the function to return a single apostrophe, if the function is called on user supplied input without any length restrictions in place. CVE-2023-0567 Tim Düsterhus discovered that malformed BCrypt hashes that include a `$` within their salt part trigger a buffer overread and may erroneously validate any password as valid. (`Password_verify()` always return `true` with such inputs.) CVE-2023-0568 1-byte array overrun when appending slash to paths during path resolution. CVE-2023-0662 Jakob Ackermann discovered a Denial of Service vulnerability when parsing multipart request body: the request body parsing in PHP allows any unauthenticated attacker to consume a large amount of CPU time and trigger excessive logging. For Debian 10 buster, these problems have been fixed in version 7.3.31-1~deb10u3. We recommend that you upgrade your php7.3 packages. For the detailed security status of php7.3 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/php7.3 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Debian LTS: DLA-3345-1: php7.3 security update
February 26, 2023
Multiple security issues were found in PHP, a widely-used open source general purpose scripting language, which could result in denial of service or incorrect validation of BCrypt ...
Summary
Multiple security issues were found in PHP, a widely-used open source
general purpose scripting language, which could result in denial of
service or incorrect validation of BCrypt hashes.
CVE-2022-31631
Due to an uncaught integer overflow, `PDO::quote()` of PDO_SQLite
may return an improperly quoted string. The exact details likely
depend on the implementation of `sqlite3_snprintf()`, but with some
versions it is possible to force the function to return a single
apostrophe, if the function is called on user supplied input without
any length restrictions in place.
CVE-2023-0567
Tim Düsterhus discovered that malformed BCrypt hashes that include a
`$` within their salt part trigger a buffer overread and may
erroneously validate any password as valid. (`Password_verify()`
always return `true` with such inputs.)
CVE-2023-0568
1-byte array overrun when appending slash to paths during path
resolution.
CVE-2023-0662
Jakob Ackermann discovered a Denial of Service vulnerability when
parsing multipart request body: the request body parsing in PHP
allows any unauthenticated attacker to consume a large amount of CPU
time and trigger excessive logging.
For Debian 10 buster, these problems have been fixed in version
7.3.31-1~deb10u3.
We recommend that you upgrade your php7.3 packages.
For the detailed security status of php7.3 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php7.3
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Severity
Package : php7.3
Version : 7.3.31-1~deb10u3
CVE ID : CVE-2022-31631 CVE-2023-0567 CVE-2023-0568 CVE-2023-0662
Debian Bug : 1031368
News
HOWTOs
Features
Interview with Guardian Digital CEO Dave Wreski: Open Source Utilization in Email Security Solutions & More
Verifying Linux Server Security: What Every Admin Needs to Know
What Linux, Windows & Mac OS Users Need to Know About VPNs
Complete Guide to Vulnerability Basics
How To Get Live Updates on Critical Linux Security Advisories
About Us
Powered By
