Debian 11: DLA-3920-1 high: php7.4 code execution risks
debian lts
October 15, 2024
Multiple security issues were found in PHP, a widely-used open source general purpose scripting language, which could result in execution of arbitrary code, erroneous parsing of in...
Topics Covered
Summary
CVE-2022-4900
It was discovered that setting the environment variable
PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer
overflow.
CVE-2024-5458
Due to a code logic error, filtering functions such as filter_var
when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs
the function results in invalid user information (username +
password part of URLs) being treated as valid user information.
This may lead to the downstream code accepting invalid URLs as valid
and parsing them incorrectly.
This causes the same problems as CVE-2020-7071, but with IPv6 host
parts.
CVE-2024-8925
Mihail Kirov discovered an erroneous parsing of multipart form data
contained in an HTTP POST request, which could lead to legitimate
data not being processed thereby violating data integrity.
CVE-2024-8927
It was discovered that the `cgi.force_redirect` configuration
setting is bypassable due to environment variable collision.
CVE-2024-9026
PREVIOUS
NEXT
Package: php7.4
Version: 7.4.33-1+deb11u6
CVE ID: CVE-2022-4900 CVE-2024-5458 CVE-2024-8925 CVE-2024-8927
Debian Bug: 1072885
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!