Bug 33278

Summary: PHP new security issues CVE-2024-4577, CVE-2024-5458, CVE-2024-5585
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: PHP Stack Maintainers <php>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: mageia
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9TOO
Source RPM: php-8.3.8-1.mga10.src.rpm CVE: CVE-2024-4577, CVE-2024-5458, CVE-2024-5585
Status comment: Fixed upstream in 8.3.8, 8.2.20 and 8.1.29
Bug Depends on: 33358, 33359    
Bug Blocks:    

Description Nicolas Salguero 2024-06-10 10:05:08 CEST 
Those CVEs were announced here:
https://www.openwall.com/lists/oss-security/2024/06/07/1

Mageia 9 is also affected.
Nicolas Salguero 2024-06-10 10:06:06 CEST

CVE: (none) => CVE-2024-4577, CVE-2024-5458, CVE-2024-5585
Whiteboard: (none) => MGA9TOO
Source RPM: (none) => php-8.3.8-1.mga10.src.rpm
Status comment: (none) => Fixed upstream in 8.3.8, 8.2.20 and 8.1.29

Nicolas Salguero 2024-06-10 10:06:11 CEST

Severity: normal => critical

Comment 1 Lewis Smith 2024-06-10 20:23:53 CEST 
Assigning to PHP stack maintainers.

Assignee: bugsquad => php

Nicolas Salguero 2024-07-09 10:04:26 CEST

Depends on: (none) => 33358

Nicolas Salguero 2024-07-09 10:15:57 CEST

Depends on: (none) => 33359

Comment 2 Marc Krämer 2024-07-09 11:06:26 CEST 
CVE-2024-4577 is windows only, not affected: "...when using Apache and PHP-CGI on Windows..."
CVE-2024-5458: affected (moderate)
CVE-2024-5585: not affected: "...the user can supply arguments that would execute arbitrary commands in Windows shell..."

CC: (none) => mageia

Comment 3 Nicolas Salguero 2024-07-11 09:58:59 CEST 
Fixed by bug 33359 and bug 33358.

Resolution: (none) => FIXED
Status: NEW => RESOLVED