Bug 30913

Summary: PHP: update to version 8.0.24
Product: Mageia Reporter: Marc Krämer <mageia>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, brtians1, davidwhodgins, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-32-OK
Source RPM: php CVE: CVE-2022-31629
Status comment:

Description Marc Krämer 2022-09-29 14:23:17 CEST 
the latest release has arrived
Comment 1 Marc Krämer 2022-09-29 14:27:13 CEST 
Advisory will follow when release notes ready.

RPMS in core/updates_testing:
php-dom-debuginfo-8.0.24-1.mga8
php-openssl-debuginfo-8.0.24-1.mga8
php-mbstring-8.0.24-1.mga8
php-mysqlnd-debuginfo-8.0.24-1.mga8
php-phar-debuginfo-8.0.24-1.mga8
php-debuginfo-8.0.24-1.mga8
php-mbstring-debuginfo-8.0.24-1.mga8
php-pgsql-debuginfo-8.0.24-1.mga8
php-opcache-8.0.24-1.mga8
php-mysqli-debuginfo-8.0.24-1.mga8
php-fileinfo-debuginfo-8.0.24-1.mga8
php-intl-8.0.24-1.mga8
php-pdo-debuginfo-8.0.24-1.mga8
php-curl-debuginfo-8.0.24-1.mga8
php-ini-8.0.24-1.mga8
php-intl-debuginfo-8.0.24-1.mga8
php-sockets-debuginfo-8.0.24-1.mga8
php-phar-8.0.24-1.mga8
php-session-debuginfo-8.0.24-1.mga8
php-soap-debuginfo-8.0.24-1.mga8
php-soap-8.0.24-1.mga8
php-mysqlnd-8.0.24-1.mga8
php-gmp-debuginfo-8.0.24-1.mga8
php-imap-debuginfo-8.0.24-1.mga8
php-gd-debuginfo-8.0.24-1.mga8
php-ldap-debuginfo-8.0.24-1.mga8
php-dba-debuginfo-8.0.24-1.mga8
php-openssl-8.0.24-1.mga8
php-doc-8.0.24-1.mga8
php-ftp-debuginfo-8.0.24-1.mga8
php-exif-debuginfo-8.0.24-1.mga8
php-snmp-debuginfo-8.0.24-1.mga8
php-zip-debuginfo-8.0.24-1.mga8
php-sodium-debuginfo-8.0.24-1.mga8
php-tidy-debuginfo-8.0.24-1.mga8
php-dom-8.0.24-1.mga8
php-pgsql-8.0.24-1.mga8
php-odbc-debuginfo-8.0.24-1.mga8
php-mysqli-8.0.24-1.mga8
php-iconv-debuginfo-8.0.24-1.mga8
php-filter-debuginfo-8.0.24-1.mga8
php-posix-debuginfo-8.0.24-1.mga8
php-bcmath-debuginfo-8.0.24-1.mga8
php-sqlite3-debuginfo-8.0.24-1.mga8
php-pdo_pgsql-debuginfo-8.0.24-1.mga8
php-zlib-debuginfo-8.0.24-1.mga8
php-pdo-8.0.24-1.mga8
php-sockets-8.0.24-1.mga8
php-imap-8.0.24-1.mga8
php-curl-8.0.24-1.mga8
php-pdo_firebird-debuginfo-8.0.24-1.mga8
php-pdo_sqlite-debuginfo-8.0.24-1.mga8
php-xsl-debuginfo-8.0.24-1.mga8
php-gd-8.0.24-1.mga8
php-session-8.0.24-1.mga8
php-pdo_mysql-debuginfo-8.0.24-1.mga8
php-gmp-8.0.24-1.mga8
php-ldap-8.0.24-1.mga8
php-exif-8.0.24-1.mga8
php-tokenizer-debuginfo-8.0.24-1.mga8
php-readline-debuginfo-8.0.24-1.mga8
php-xmlwriter-debuginfo-8.0.24-1.mga8
php-pdo_dblib-debuginfo-8.0.24-1.mga8
php-sodium-8.0.24-1.mga8
php-xmlreader-debuginfo-8.0.24-1.mga8
php-calendar-debuginfo-8.0.24-1.mga8
php-sqlite3-8.0.24-1.mga8
php-ftp-8.0.24-1.mga8
php-odbc-8.0.24-1.mga8
php-pcntl-debuginfo-8.0.24-1.mga8
php-dba-8.0.24-1.mga8
php-zip-8.0.24-1.mga8
php-bz2-debuginfo-8.0.24-1.mga8
php-pdo_odbc-debuginfo-8.0.24-1.mga8
php-snmp-8.0.24-1.mga8
php-tidy-8.0.24-1.mga8
php-bcmath-8.0.24-1.mga8
php-iconv-8.0.24-1.mga8
php-ctype-debuginfo-8.0.24-1.mga8
php-filter-8.0.24-1.mga8
php-enchant-debuginfo-8.0.24-1.mga8
php-xmlwriter-8.0.24-1.mga8
php-zlib-8.0.24-1.mga8
php-pdo_pgsql-8.0.24-1.mga8
php-gettext-debuginfo-8.0.24-1.mga8
php-sysvmsg-debuginfo-8.0.24-1.mga8
php-pdo_firebird-8.0.24-1.mga8
php-pdo_mysql-8.0.24-1.mga8
php-pdo_sqlite-8.0.24-1.mga8
php-calendar-8.0.24-1.mga8
php-sysvshm-debuginfo-8.0.24-1.mga8
php-xsl-8.0.24-1.mga8
php-readline-8.0.24-1.mga8
php-xmlreader-8.0.24-1.mga8
php-pcntl-8.0.24-1.mga8
php-posix-8.0.24-1.mga8
php-sysvshm-8.0.24-1.mga8
php-pdo_dblib-8.0.24-1.mga8
php-bz2-8.0.24-1.mga8
php-pdo_odbc-8.0.24-1.mga8
php-enchant-8.0.24-1.mga8
php-sysvsem-debuginfo-8.0.24-1.mga8
php-shmop-debuginfo-8.0.24-1.mga8
php-tokenizer-8.0.24-1.mga8
php-shmop-8.0.24-1.mga8
php-sysvmsg-8.0.24-1.mga8
php-fpm-apache-8.0.24-1.mga8
php-fpm-nginx-8.0.24-1.mga8
php-sysvsem-8.0.24-1.mga8
php-gettext-8.0.24-1.mga8
php-ctype-8.0.24-1.mga8
php-cgi-8.0.24-1.mga8
phpdbg-8.0.24-1.mga8
php-cli-8.0.24-1.mga8
php-fpm-8.0.24-1.mga8
apache-mod_php-8.0.24-1.mga8
php-opcache-debuginfo-8.0.24-1.mga8
php-fileinfo-8.0.24-1.mga8
php-cgi-debuginfo-8.0.24-1.mga8
apache-mod_php-debuginfo-8.0.24-1.mga8
php-fpm-debuginfo-8.0.24-1.mga8
phpdbg-debuginfo-8.0.24-1.mga8
php-cli-debuginfo-8.0.24-1.mga8
php-debugsource-8.0.24-1.mga8
php-devel-8.0.24-1.mga8

SRPM:
php-8.0.24-1.mga8.src.rpm

Assignee: mageia => qa-bugs

Comment 2 Marc Krämer 2022-09-29 14:27:53 CEST 
please see also #30914
Comment 3 David Walser 2022-09-29 14:31:39 CEST 
https://www.php.net/ChangeLog-8.php#8.0.24 (not posted yet)

Summary: PHP: update to version 8.0.20 => PHP: update to version 8.0.24

Comment 4 Marc Krämer 2022-09-30 19:36:05 CEST 
Updated php package to 8.0.24 for security and error correction:

Core:
- Fixed bug GH-9323 (Crash in ZEND_RETURN/GC/zend_call_function) (Tim Starling)
- Fixed bug GH-9361 (Segmentation fault on script exit #9379).
- Fixed bug GH-9407 (LSP error in eval'd code refers to wrong class for static type).
- Fixed bug #81727: Don't mangle HTTP variable names that clash with ones that have a specific semantic meaning. (CVE-2022-31629)

DOM:
- Fixed bug #79451 (DOMDocument->replaceChild on doctype causes double free).

FPM:
- Fixed bug GH-8885 (FPM access.log with stderr begins to write logs to error_log after daemon reload).
- Fixed bug #77780 ("Headers already sent..." when previous connection was aborted).

GMP:
- Fixed bug GH-9308 (GMP throws the wrong error when a GMP object is passed to gmp_init()).

Intl:
- Fixed bug GH-9421 (Incorrect argument number for ValueError in NumberFormatter).

Phar:
- Fixed bug #81726: phar wrapper: DOS when using quine gzip file. (CVE-2022-31628)

PDO_PGSQL:
- Fixed bug GH-9411 (PgSQL large object resource is incorrectly closed).

Reflection:
- Fixed bug GH-8932 (ReflectionFunction provides no way to get the called class of a Closure).
- Fixed bug GH-9409 (Private method is incorrectly dumped as "overwrites").

Streams:
- Fixed bug GH-9316 ($http_response_header is wrong for long status line).

References:
[1] https://www.php.net/ChangeLog-8.php#8.0.24
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31629

QA Contact: (none) => security
Component: RPM Packages => Security
CVE: (none) => CVE-2022-31629

Comment 5 Brian Rockwell 2022-10-06 02:47:22 CEST 
MGA8-32bit, Nextcloud server


The following 25 packages are going to be installed:

- apache-mod_php-8.0.24-1.mga8.i586
- php-cgi-8.0.24-1.mga8.i586
- php-curl-8.0.24-1.mga8.i586
- php-dom-8.0.24-1.mga8.i586
- php-exif-8.0.24-1.mga8.i586
- php-fileinfo-8.0.24-1.mga8.i586
- php-filter-8.0.24-1.mga8.i586
- php-gd-8.0.24-1.mga8.i586
- php-iconv-8.0.24-1.mga8.i586
- php-ini-8.0.24-1.mga8.i586
- php-intl-8.0.24-1.mga8.i586
- php-ldap-8.0.24-1.mga8.i586
- php-mbstring-8.0.24-1.mga8.i586
- php-mysqlnd-8.0.24-1.mga8.i586
- php-openssl-8.0.24-1.mga8.i586
- php-pdo-8.0.24-1.mga8.i586
- php-pdo_mysql-8.0.24-1.mga8.i586
- php-pdo_sqlite-8.0.24-1.mga8.i586
- php-session-8.0.24-1.mga8.i586
- php-sysvsem-8.0.24-1.mga8.i586
- php-sysvshm-8.0.24-1.mga8.i586
- php-xmlreader-8.0.24-1.mga8.i586
- php-xmlwriter-8.0.24-1.mga8.i586
- php-zip-8.0.24-1.mga8.i586
- php-zlib-8.0.24-1.mga8.i586

---rebooted to make sure memory was clear

Ran nextcloud client and various utilities against the nextcloud server running on php.  Working as expected.

Whiteboard: (none) => MGA8-32-OK
CC: (none) => brtians1

Comment 6 Thomas Andrews 2022-10-08 02:57:27 CEST 
I'd feel more comfortable if we had a 64-bit test as well, but I'm going to send this on anyway. Validating. Advisory in Comment 4.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-10-08 19:47:07 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 7 Mageia Robot 2022-10-08 22:23:51 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0362.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED