Debian LTS: DLA-3986-1: php7.4 Security Advisory Updates
debian lts
December 8, 2024
Multiple security issues were found in PHP, a widely-used open source general purpose scripting language, which could result in denial of service, authorization bypass, or informat...
Topics Covered
Summary
CVE-2024-8929
Sébastien Rolland discovered a partial content leak of the heap
through heap buffer over-read in mysqlnd.
By connecting to a fake MySQL server or tampering with network
packets and initiating a SQL Query, it is possible to abuse
php_mysqlnd_rset_field_rea() when parsing MySQL fields packets in
order to include the rest of the heap content starting from the
address of the cursor of the currently read buffer.
CVE-2024-8932
Yiheng Cao discovered that uncontrolled long string inputs to
ldap_escape() on 32-bit systems can cause an integer overflow,
resulting in an out-of-bounds write.
CVE-2024-11233
A memory-related vulnerability was discovered in the filter handling
system, particularly when processing input with
convert.quoted-printable-decode filters, which could lead to a
segmentation fault.
This vulnerability is triggered through specific sequences of input
data, causing PHP to crash. When exploited, it allows an attacker
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: php7.4
Version: 7.4.33-1+deb11u7
CVE ID: CVE-2024-8929 CVE-2024-8932 CVE-2024-11233 CVE-2024-11234
Debian Bug: 1088688
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!