Alerts This Week
Warning Icon 1 692
Alerts This Week
Warning Icon 1 692

Red Hat Enterprise Linux 8 RHSA-2023-2903-01 Moderate PHP 7.4 Fix

red hat
Calendar Grey May 16, 2023
Dist Redhat Esm H88
A routine security enhancement for the php package on Red Hat Enterprise Linux 8 resolves several security flaws. Discover further details here.
An update for the php:7.4 module is now available for Red Hat Enterprise Linux 8

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, the httpd daemon must be restarted for the update to take effect.

Summary

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.
The following packages have been upgraded to a later upstream version: php (7.4.33).
Security Fix(es):
* XKCP: buffer overflow in the SHA-3 reference implementation (CVE-2022-37454)
* php: standard insecure cookie could be treated as a '__Host-' or '__Secure-' cookie by PHP applications (CVE-2022-31629)
* php: OOB read due to insufficient input validation in imageloadfont() (CVE-2022-31630)
* php: PDO::quote() may return unquoted string due to an integer overflow (CVE-2022-31631)
* php: phar: infinite loop when decompressing quine gzip file (CVE-2022-31628)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.8 Release Notes linked from the References section.

Topics%20covered

Topics Covered

security advisory buffer overflow Red Hat Enterprise Linux moderate severity input validation security impact php module

References

https://access.redhat.com/security/cve/CVE-2022-31628 https://access.redhat.com/security/cve/CVE-2022-31629 https://access.redhat.com/security/cve/CVE-2022-31630 https://access.redhat.com/security/cve/CVE-2022-31631 https://access.redhat.com/security/cve/CVE-2022-37454 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.8_release_notes/index

Package List

Red Hat Enterprise Linux AppStream (v. 8):
Source: libzip-1.6.1-1.module+el8.3.0+6678+b09f589e.src.rpm php-7.4.33-1.module+el8.8.0+17865+ef7eddfa.src.rpm php-pear-1.10.13-1.module+el8.7.0+15127+a450a8db.src.rpm php-pecl-apcu-5.1.18-1.module+el8.3.0+6678+b09f589e.src.rpm php-pecl-rrd-2.0.1-1.module+el8.3.0+6678+b09f589e.src.rpm php-pecl-xdebug-2.9.5-1.module+el8.3.0+6678+b09f589e.src.rpm php-pecl-zip-1.18.2-1.module+el8.3.0+6678+b09f589e.src.rpm
aarch64: libzip-1.6.1-1.module+el8.3.0+6678+b09f589e.aarch64.rpm libzip-debuginfo-1.6.1-1.module+el8.3.0+6678+b09f589e.aarch64.rpm libzip-debugsource-1.6.1-1.module+el8.3.0+6678+b09f589e.aarch64.rpm libzip-devel-1.6.1-1.module+el8.3.0+6678+b09f589e.aarch64.rpm libzip-tools-1.6.1-1.module+el8.3.0+6678+b09f589e.aarch64.rpm libzip-tools-debuginfo-1.6.1-1.module+el8.3.0+6678+b09f589e.aarch64.rpm php-7.4.33-1.module+el8.8.0+17865+ef7eddfa.aarch64.rpm php-bcmath-7.4.33-1.module+el8.8.0+17865+ef7eddfa.aarch64.rpm php-bcmath-debuginfo-7.4.33-1.module+el8.8.0+17865+ef7eddfa.aarch64.rpm php-cli-7.4.33-1.module+el8.8.0+17865+ef7eddfa.aarch64.rpm php-cli-debuginfo-7.4.33-1.module+el8.8.0+17865+ef7eddfa.aarch64.rpm php-common-7.4.33-1.module+el8.8.0+17865+ef7eddfa.aarch64.rpm

Read the Full Advisory


Advisory ID: RHSA-2023:2903-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2023:2903
Issue date: 2023-05-16

Topic

An update for the php:7.4 module is now available for Red Hat EnterpriseLinux 8.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory buffer overflow Red Hat Enterprise Linux moderate severity input validation security impact php module

Relevant Releases Architectures

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

Bugs Fixed

2133687 - CVE-2022-31629 php: standard insecure cookie could be treated as a '__Host-' or '__Secure-' cookie by PHP applications

2133688 - CVE-2022-31628 php: phar: infinite loop when decompressing quine gzip file

2139280 - CVE-2022-31630 php: OOB read due to insufficient input validation in imageloadfont()

2140200 - CVE-2022-37454 XKCP: buffer overflow in the SHA-3 reference implementation

2158791 - CVE-2022-31631 php: PDO::quote() may return unquoted string due to an integer overflow

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here