Alerts This Week
Warning Icon 1 640
Alerts This Week
Warning Icon 1 640

Ubuntu 24.04 LTS: USN-7049-1 critical: php remote attack issues

ubuntu
Calendar Grey October 1, 2024
Dist Ubuntu Esm H88
Updates for PHP vulnerabilities are covered in Ubuntu Security Announcement USN-7050-1 for releases 7.4, 8.1, and 8.3.
Several security issues were fixed in PHP.

Summary

Several security issues were fixed in PHP.

Software Description:

- php8.3: HTML-embedded scripting language interpreter

- php8.1: HTML-embedded scripting language interpreter

- php7.4: HTML-embedded scripting language interpreter

Details:

It was discovered that PHP incorrectly handled parsing multipart form data.

A remote attacker could possibly use this issue to inject payloads and

cause PHP to ignore legitimate data. (CVE-2024-8925)

It was discovered that PHP incorrectly handled the cgi.force_redirect

configuration option due to environment variable collisions. In certain

configurations, an attacker could possibly use this issue bypass

force_redirect restrictions. (CVE-2024-8927)

It was discovered that PHP-FPM incorrectly handled logging. A remote

attacker could possibly use this issue to alter and inject arbitrary

contents into log files. This issue only affected Ubuntu 22.04 LTS, and

Ubuntu 24.04 LTS. (CVE-2024-9026)

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
   libapache2-mod-php8.3           8.3.6-0ubuntu0.24.04.2
   php8.3-cgi                      8.3.6-0ubuntu0.24.04.2
   php8.3-cli                      8.3.6-0ubuntu0.24.04.2
   php8.3-fpm                      8.3.6-0ubuntu0.24.04.2

Ubuntu 22.04 LTS
   libapache2-mod-php8.1           8.1.2-1ubuntu2.19
   php8.1-cgi                      8.1.2-1ubuntu2.19
   php8.1-cli                      8.1.2-1ubuntu2.19
   php8.1-fpm                      8.1.2-1ubuntu2.19

Ubuntu 20.04 LTS
   libapache2-mod-php7.4           7.4.3-4ubuntu2.24
   php7.4-cgi                      7.4.3-4ubuntu2.24
   php7.4-cli                      7.4.3-4ubuntu2.24
   php7.4-fpm                      7.4.3-4ubuntu2.24

In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-7049-1

CVE-2024-8925, CVE-2024-8927, CVE-2024-9026

Severity
critical
Lowest
Low
Medium
High
Critical

Ubuntu Security Notice USN-7049-1

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here