| Summary: | PHP: update to 8.2.21 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Marc Krämer <mageia> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | andrewsfarm, nicolas.salguero, sysadmin-bugs |
| Version: | 9 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA9-64-OK | ||
| Source RPM: | php | CVE: | CVE-2024-5458 |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 33355, 33278 | ||
|
Description
Marc Krämer
2024-07-03 14:44:01 CEST
Packages available. Changelog: https://www.php.net/ChangeLog-8.php#8.2.21 (will follow on 4th) Advisory will be added, when changelog is available :) This update should also fix https://bugs.mageia.org/show_bug.cgi?id=33355 Files in core/upates_testing: php-cli-8.2.21-2.mga9 php-cgi-8.2.21-2.mga9 php-fpm-8.2.21-2.mga9 phpdbg-8.2.21-2.mga9 php-debuginfo-8.2.21-2.mga9 php-intl-debuginfo-8.2.21-2.mga9 php-opcache-debuginfo-8.2.21-2.mga9 php-soap-debuginfo-8.2.21-2.mga9 php-mbstring-debuginfo-8.2.21-2.mga9 php-mbstring-8.2.21-2.mga9 php-phar-debuginfo-8.2.21-2.mga9 php-opcache-8.2.21-2.mga9 php-dom-debuginfo-8.2.21-2.mga9 php-openssl-debuginfo-8.2.21-2.mga9 php-intl-8.2.21-2.mga9 php-mysqlnd-debuginfo-8.2.21-2.mga9 php-fileinfo-8.2.21-2.mga9 php-mysqli-debuginfo-8.2.21-2.mga9 php-pdo-debuginfo-8.2.21-2.mga9 php-pgsql-debuginfo-8.2.21-2.mga9 php-fileinfo-debuginfo-8.2.21-2.mga9 php-curl-debuginfo-8.2.21-2.mga9 php-soap-8.2.21-2.mga9 php-phar-8.2.21-2.mga9 apache-mod_php-8.2.21-2.mga9 php-ini-8.2.21-2.mga9 php-session-debuginfo-8.2.21-2.mga9 php-sockets-debuginfo-8.2.21-2.mga9 php-mysqlnd-8.2.21-2.mga9 php-sodium-debuginfo-8.2.21-2.mga9 php-imap-debuginfo-8.2.21-2.mga9 php-zip-debuginfo-8.2.21-2.mga9 php-ldap-debuginfo-8.2.21-2.mga9 php-gd-debuginfo-8.2.21-2.mga9 php-dom-8.2.21-2.mga9 php-openssl-8.2.21-2.mga9 php-dba-debuginfo-8.2.21-2.mga9 php-snmp-debuginfo-8.2.21-2.mga9 php-gmp-debuginfo-8.2.21-2.mga9 php-sqlite3-debuginfo-8.2.21-2.mga9 php-mysqli-8.2.21-2.mga9 php-tidy-debuginfo-8.2.21-2.mga9 php-exif-debuginfo-8.2.21-2.mga9 php-pgsql-8.2.21-2.mga9 php-ftp-debuginfo-8.2.21-2.mga9 php-filter-debuginfo-8.2.21-2.mga9 php-odbc-debuginfo-8.2.21-2.mga9 php-doc-8.2.21-2.mga9.noarch.rpm php-pdo-8.2.21-2.mga9 php-bcmath-debuginfo-8.2.21-2.mga9 php-curl-8.2.21-2.mga9 php-session-8.2.21-2.mga9 php-gd-8.2.21-2.mga9 php-pcntl-debuginfo-8.2.21-2.mga9 php-sodium-8.2.21-2.mga9 php-xmlreader-debuginfo-8.2.21-2.mga9 php-iconv-debuginfo-8.2.21-2.mga9 php-imap-8.2.21-2.mga9 php-posix-debuginfo-8.2.21-2.mga9 php-sockets-8.2.21-2.mga9 php-pdo_pgsql-debuginfo-8.2.21-2.mga9 php-zip-8.2.21-2.mga9 php-pdo_mysql-debuginfo-8.2.21-2.mga9 php-zlib-debuginfo-8.2.21-2.mga9 php-ldap-8.2.21-2.mga9 php-xsl-debuginfo-8.2.21-2.mga9 php-exif-8.2.21-2.mga9 php-pdo_firebird-debuginfo-8.2.21-2.mga9 php-pdo_sqlite-debuginfo-8.2.21-2.mga9 php-xmlwriter-debuginfo-8.2.21-2.mga9 php-odbc-8.2.21-2.mga9 php-gmp-8.2.21-2.mga9 php-readline-debuginfo-8.2.21-2.mga9 php-tokenizer-debuginfo-8.2.21-2.mga9 php-pdo_dblib-debuginfo-8.2.21-2.mga9 php-dba-8.2.21-2.mga9 php-ftp-8.2.21-2.mga9 php-sqlite3-8.2.21-2.mga9 php-calendar-debuginfo-8.2.21-2.mga9 php-pdo_odbc-debuginfo-8.2.21-2.mga9 php-tidy-8.2.21-2.mga9 php-snmp-8.2.21-2.mga9 php-zlib-8.2.21-2.mga9 php-bz2-debuginfo-8.2.21-2.mga9 php-iconv-8.2.21-2.mga9 php-enchant-debuginfo-8.2.21-2.mga9 php-filter-8.2.21-2.mga9 php-xmlwriter-8.2.21-2.mga9 php-pdo_pgsql-8.2.21-2.mga9 php-xmlreader-8.2.21-2.mga9 php-pcntl-8.2.21-2.mga9 php-posix-8.2.21-2.mga9 php-pdo_firebird-8.2.21-2.mga9 php-bcmath-8.2.21-2.mga9 php-sysvmsg-debuginfo-8.2.21-2.mga9 php-ctype-debuginfo-8.2.21-2.mga9 php-pdo_sqlite-8.2.21-2.mga9 php-gettext-debuginfo-8.2.21-2.mga9 php-calendar-8.2.21-2.mga9 php-pdo_odbc-8.2.21-2.mga9 php-readline-8.2.21-2.mga9 php-xsl-8.2.21-2.mga9 php-pdo_dblib-8.2.21-2.mga9 php-pdo_mysql-8.2.21-2.mga9 php-tokenizer-8.2.21-2.mga9 php-sysvshm-debuginfo-8.2.21-2.mga9 php-bz2-8.2.21-2.mga9 php-sysvshm-8.2.21-2.mga9 php-sysvsem-debuginfo-8.2.21-2.mga9 php-enchant-8.2.21-2.mga9 php-shmop-debuginfo-8.2.21-2.mga9 php-sysvmsg-8.2.21-2.mga9 php-shmop-8.2.21-2.mga9 php-gettext-8.2.21-2.mga9 php-ctype-8.2.21-2.mga9 php-sysvsem-8.2.21-2.mga9 php-fpm-apache-8.2.21-2.mga9 php-fpm-nginx-8.2.21-2.mga9 php-cgi-debuginfo-8.2.21-2.mga9 php-fpm-debuginfo-8.2.21-2.mga9 apache-mod_php-debuginfo-8.2.21-2.mga9 php-cli-debuginfo-8.2.21-2.mga9 phpdbg-debuginfo-8.2.21-2.mga9 php-debugsource-8.2.21-2.mga9 php-devel-8.2.21-2.mga9 SRPM: php-8.2.21-2.mga9.src.rpm
Marc Krämer
2024-07-03 14:46:57 CEST
Assignee:
mageia =>
qa-bugs
Marc Krämer
2024-07-03 14:51:48 CEST
Blocks:
(none) =>
33355
Marc Krämer
2024-07-03 14:52:33 CEST
Blocks:
33355 =>
(none)
Marc Krämer
2024-07-03 14:53:09 CEST
Blocks:
(none) =>
33355 RH mageia 9 x86_64
LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date
installing php-zlib-8.2.21-2.mga9.x86_64.rpm php-cli-8.2.21-2.mga9.x86_64.rpm php-sysvshm-8.2.21-2.mga9.x86_64.rpm php-fpm-apache-8.2.21-2.mga9.x86_64.rpm php-fpm-8.2.21-2.mga9.x86_64.rpm php-sysvsem-8.2.21-2.mga9.x86_64.rpm php-session-8.2.21-2.mga9.x86_64.rpm php-ini-8.2.21-2.mga9.x86_64.rpm php-openssl-8.2.21-2.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing... ##################################################################################################
1/9: php-cli ##################################################################################################
2/9: php-sysvshm ##################################################################################################
3/9: php-sysvsem ##################################################################################################
4/9: php-openssl ##################################################################################################
5/9: php-ini ##################################################################################################
6/9: php-zlib ##################################################################################################
7/9: php-session ##################################################################################################
8/9: php-fpm-apache ##################################################################################################
9/9: php-fpm ##################################################################################################
1/9: removing php-fpm-apache-3:8.2.18-1.mga9.x86_64
##################################################################################################
2/9: removing php-fpm-3:8.2.18-1.mga9.x86_64
##################################################################################################
3/9: removing php-session-3:8.2.18-1.mga9.x86_64
##################################################################################################
4/9: removing php-cli-3:8.2.18-1.mga9.x86_64
##################################################################################################
5/9: removing php-sysvsem-3:8.2.18-1.mga9.x86_64
##################################################################################################
6/9: removing php-sysvshm-3:8.2.18-1.mga9.x86_64
##################################################################################################
7/9: removing php-ini-3:8.2.18-1.mga9.x86_64
##################################################################################################
8/9: removing php-zlib-3:8.2.18-1.mga9.x86_64
##################################################################################################
9/9: removing php-openssl-3:8.2.18-1.mga9.x86_64
##################################################################################################
systemctl restart php-fpm.service
systemctl -l status php-fpm.service
● php-fpm.service - The PHP FastCGI Process Manager
Loaded: loaded (/usr/lib/systemd/system/php-fpm.service; enabled; preset: disabled)
Active: active (running) since Wed 2024-07-03 10:43:50 CST; 11s ago
Main PID: 176241 (php-fpm)
Status: "Processes active: 0, idle: 20, Requests: 0, slow: 0, Traffic: 0.00req/sec"
Tasks: 21 (limit: 6904)
Memory: 9.3M
CPU: 42ms
CGroup: /system.slice/php-fpm.service
├─176241 "php-fpm: master process (/etc/php-fpm.conf)"
├─176243 "php-fpm: pool www"
├─176244 "php-fpm: pool www"
├─176245 "php-fpm: pool www"
├─176246 "php-fpm: pool www"
├─176247 "php-fpm: pool www"
├─176248 "php-fpm: pool www"
├─176249 "php-fpm: pool www"
├─176250 "php-fpm: pool www"
├─176251 "php-fpm: pool www"
├─176252 "php-fpm: pool www"
├─176253 "php-fpm: pool www"
├─176254 "php-fpm: pool www"
├─176255 "php-fpm: pool www"
├─176256 "php-fpm: pool www"
├─176257 "php-fpm: pool www"
├─176258 "php-fpm: pool www"
├─176259 "php-fpm: pool www"
├─176260 "php-fpm: pool www"
├─176261 "php-fpm: pool www"
└─176262 "php-fpm: pool www"
jul 03 10:43:49 jgrey.phoenix systemd[1]: Starting php-fpm.service...
jul 03 10:43:50 jgrey.phoenix systemd[1]: Started php-fpm.service.
Still get mixed behavior with my php pages (some works other not) :( need to check the apache update recommendation
katnatek
2024-07-03 19:28:54 CEST
Keywords:
(none) =>
advisory The problematic page fail after a require, but not have any idea of why it was working and I don't know when let of work :( I have both testing updates apache and php and still have the issue, I will have to recode the included file to see what the hell is the issue, but unless other report something similar I consider that not must stop this or apache updates @katnatek: usually a required file is not found. You can check apache logs or php-fpm log. One of them should contain some usefull information about why require is not found (e.g. search path not set) advisory will come tomorrow. when changelog is ready. (In reply to Marc Krämer from comment #4) > @katnatek: usually a required file is not found. You can check apache logs > or php-fpm log. One of them should contain some usefull information about > why require is not found (e.g. search path not set) Not sure why but I have to change the folder in where the problematic page lives, a problem with paths and symlinks Now works BTW thank you for the help OK for me, but I was not affected by the bug because I use php-fpm and the rest of the pages works I also test my php script and works Advisory: This update ships the latest version of php 8.2. It brings the usuall bug fixes. Noteable fixes: DOM: - Fixed bug GH-14343 (Memory leak in xml and dom). FPM: - Fixed bug GH-13563 (Setting bool values via env in FPM config fails). MySQLnd: - Fix bug GH-14255 (mysqli_fetch_assoc reports error from nested query). Posix: - Fix usage of reentrant functions in ext/posix. Soap: - Various memory issues SPL: - Fixed bug GH-14290 (Member access within null pointer in extension spl). Streams: - Fixed bug GH-11078 (PHP Fatal error triggers pointer being freed was not allocated and malloc: double free for ptr errors). References: https://www.php.net/ChangeLog-8.php#8.2.21 https://www.php.net/ChangeLog-8.php#8.2.20 https://www.php.net/ChangeLog-8.php#8.2.19 RH mageia 9 i586 rpm -qa|grep php php-openssl-8.2.21-2.mga9 php-cli-8.2.21-2.mga9 php-sysvshm-8.2.21-2.mga9 php-zlib-8.2.21-2.mga9 php-ini-8.2.21-2.mga9 php-sysvsem-8.2.21-2.mga9 My php script works Please guys my use of php is too basic to give OK in base my test Whiteboard:
(none) =>
MGA9-64-OK
Nicolas Salguero
2024-07-09 10:04:26 CEST
Component:
RPM Packages =>
Security Advisory: This update ships the latest version of php 8.2. It brings a fixed security issues and the usuall bug fixes. Vulnerability: - A code logic error, filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly. (CVE-2024-5458) Noteable fixes: DOM: - Fixed bug GH-14343 (Memory leak in xml and dom). FPM: - Fixed bug GH-13563 (Setting bool values via env in FPM config fails). MySQLnd: - Fix bug GH-14255 (mysqli_fetch_assoc reports error from nested query). Posix: - Fix usage of reentrant functions in ext/posix. Soap: - Various memory issues SPL: - Fixed bug GH-14290 (Member access within null pointer in extension spl). Streams: - Fixed bug GH-11078 (PHP Fatal error triggers pointer being freed was not allocated and malloc: double free for ptr errors). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5458 https://www.php.net/ChangeLog-8.php#8.2.21 https://www.php.net/ChangeLog-8.php#8.2.20 https://www.php.net/ChangeLog-8.php#8.2.19 CVE:
CVE-2024-4577, CVE-2024-5458, CVE-2024-5585 =>
CVE-2024-5458 Advisory updated (In reply to katnatek from comment #9) > Please guys my use of php is too basic to give OK in base my test If you don't believe your test is sufficient, then please remove the OK. Having it there will discourage others from trying it out. BTW, my knowledge of php is even less than yours, so I can't help in this area. CC:
(none) =>
andrewsfarm (In reply to Thomas Andrews from comment #12) > (In reply to katnatek from comment #9) > > Please guys my use of php is too basic to give OK in base my test > > If you don't believe your test is sufficient, then please remove the OK. > Having it there will discourage others from trying it out. > > BTW, my knowledge of php is even less than yours, so I can't help in this > area. I forget to remove the OK when send the comment, thanks Whiteboard:
MGA9-64-OK =>
(none) May I ask, what is the problem here? In most cases we are monitoring and testing for packaging errors and basic failures. It is out of scope to test for specific failures. This is done and should be done upstream. @katnatek: if you installed it without errors, and your basic tests works, that should be sufficient to give it an ok state, so it can process. (In reply to Marc Krämer from comment #14) > May I ask, what is the problem here? > In most cases we are monitoring and testing for packaging errors and basic > failures. It is out of scope to test for specific failures. This is done and > should be done upstream. > > @katnatek: if you installed it without errors, and your basic tests works, > that should be sufficient to give it an ok state, so it can process. @katnatek: Since Marc says your test was sufficient, I'm restoring the OK and validating. Keywords:
(none) =>
validated_update (In reply to Marc Krämer from comment #14) > May I ask, what is the problem here? > In most cases we are monitoring and testing for packaging errors and basic > failures. It is out of scope to test for specific failures. This is done and > should be done upstream. > > @katnatek: if you installed it without errors, and your basic tests works, > that should be sufficient to give it an ok state, so it can process. Well as you can see I use a very small subset of packages, just I did like a test with a wide range of packages and use cases. We depend on you if something rise before the update, I`m not against the validation. Thank you (In reply to katnatek from comment #16) > (In reply to Marc Krämer from comment #14) > > May I ask, what is the problem here? > > In most cases we are monitoring and testing for packaging errors and basic > > failures. It is out of scope to test for specific failures. This is done and > > should be done upstream. > > > > @katnatek: if you installed it without errors, and your basic tests works, > > that should be sufficient to give it an ok state, so it can process. > > Well as you can see I use a very small subset of packages, just I did like a > test with a wide range of packages and use cases. > > We depend on you if something rise , I`m not against the > validation. > > Thank you before the update -> after the update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0262.html Resolution:
(none) =>
FIXED |