This week, important updates have been issued for PHP, polkit and djvulibre.
We recommend that you visit our Advisories page frequently to see the latest security advisories that have been issued by your Linux distro(s). We also now offer the ability to personalize your LinuxSecurity.com User Profile to include the latest advisories for the distros you select.
On behalf of the LinuxSecurity.com administrative team, I would like to extend a warm welcome to our newly redesigned site!
Yours in Open Source,
PHP The Discovery
Several remotely exploitable vulnerabilities have been discovered in the php7.0 and php5 HTML-embedded scripting language interpreters. These flaws include incorrect handling of certain PHAR files (CVE-2020-7068), URLs with passwords (CVE-2020-7071), certain malformed XML data when being parsed by the SOAP extension (CVE-2021-21702), the pdo_firebase module (CVE-2021-21704) and the FILTER_VALIDATE_URL check (CVE-2021-21705).
These issues could allow a remote attacker to cause PHP to crash, resulting in a denial of service (DoS), perform a server-side request forgery attack, or possibly obtain sensitive information.
These problems can be corrected by updating your php7.0 and php5 package versions. In general, a standard system update will make all the necessary changes.
A high-severity vulnerability in polkit, a toolkit for managing policies related to unprivileged processes communicating with privileged processes, has been discovered (CVE-2021-3560). The issue involves the function polkit_system_bus_name_get_creds_sync() being called without checking for errors, temporarily treating the authentication request as if it were coming from root.
This flaw could lead to local root privilege escalation.
All polkit users should upgrade to the latest version: