Bug 29413 - PHP: bugfix release 8.0.11
Summary: PHP: bugfix release 8.0.11
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-08-26 14:59 CEST by Marc Krämer
Modified: 2021-09-22 00:45 CEST (History)
3 users (show)

See Also:
Source RPM: php
CVE:
Status comment:


Attachments

Description Marc Krämer 2021-08-26 14:59:27 CEST
a new release is in town which fixes some heap-/buffer-overflows:
https://www.php.net/ChangeLog-8.php#8.0.10
Comment 1 Marc Krämer 2021-08-26 15:04:24 CEST
Updated php packages fix security vulnerabilities:
- Integer overflow in mysqli_real_escape_string()
- Symlinks are followed when creating PHAR archive
- shmop can't read beyond 2147483647 bytes
- Integer overflow on substr_replace
- Heap buffer overflow via str_repeat

References:
https://www.php.net/ChangeLog-8.php#8.0.10
========================

Updated packages in core/updates_testing:
========================
php-openssl-debuginfo-8.0.10-1.mga8
php-dom-debuginfo-8.0.10-1.mga8
php-mysqlnd-debuginfo-8.0.10-1.mga8
php-phar-debuginfo-8.0.10-1.mga8
php-debuginfo-8.0.10-1.mga8
php-mbstring-8.0.10-1.mga8
php-mbstring-debuginfo-8.0.10-1.mga8
php-opcache-8.0.10-1.mga8
php-pgsql-debuginfo-8.0.10-1.mga8
php-curl-debuginfo-8.0.10-1.mga8
php-mysqli-debuginfo-8.0.10-1.mga8
php-intl-debuginfo-8.0.10-1.mga8
php-sockets-debuginfo-8.0.10-1.mga8
php-ini-8.0.10-1.mga8
php-soap-debuginfo-8.0.10-1.mga8
php-session-debuginfo-8.0.10-1.mga8
php-intl-8.0.10-1.mga8
php-fileinfo-debuginfo-8.0.10-1.mga8
php-pdo-debuginfo-8.0.10-1.mga8
php-soap-8.0.10-1.mga8
php-mysqlnd-8.0.10-1.mga8
php-phar-8.0.10-1.mga8
php-imap-debuginfo-8.0.10-1.mga8
php-gmp-debuginfo-8.0.10-1.mga8
php-gd-debuginfo-8.0.10-1.mga8
php-zip-debuginfo-8.0.10-1.mga8
php-ldap-debuginfo-8.0.10-1.mga8
php-exif-debuginfo-8.0.10-1.mga8
php-snmp-debuginfo-8.0.10-1.mga8
php-ftp-debuginfo-8.0.10-1.mga8
php-dba-debuginfo-8.0.10-1.mga8
php-tidy-debuginfo-8.0.10-1.mga8
php-openssl-8.0.10-1.mga8
php-sodium-debuginfo-8.0.10-1.mga8
php-doc-8.0.10-1.mga8
php-dom-8.0.10-1.mga8
php-bcmath-debuginfo-8.0.10-1.mga8
php-mysqli-8.0.10-1.mga8
php-sqlite3-debuginfo-8.0.10-1.mga8
php-filter-debuginfo-8.0.10-1.mga8
php-odbc-debuginfo-8.0.10-1.mga8
php-iconv-debuginfo-8.0.10-1.mga8
php-zlib-debuginfo-8.0.10-1.mga8
php-pgsql-8.0.10-1.mga8
php-posix-debuginfo-8.0.10-1.mga8
php-pdo-8.0.10-1.mga8
php-pdo_pgsql-debuginfo-8.0.10-1.mga8
php-curl-8.0.10-1.mga8
php-session-8.0.10-1.mga8
php-pdo_mysql-debuginfo-8.0.10-1.mga8
php-gd-8.0.10-1.mga8
php-xsl-debuginfo-8.0.10-1.mga8
php-pdo_firebird-debuginfo-8.0.10-1.mga8
php-sockets-8.0.10-1.mga8
php-pdo_sqlite-debuginfo-8.0.10-1.mga8
php-imap-8.0.10-1.mga8
php-calendar-debuginfo-8.0.10-1.mga8
php-xmlwriter-debuginfo-8.0.10-1.mga8
php-tokenizer-debuginfo-8.0.10-1.mga8
php-sodium-8.0.10-1.mga8
php-xmlreader-debuginfo-8.0.10-1.mga8
php-pdo_dblib-debuginfo-8.0.10-1.mga8
php-exif-8.0.10-1.mga8
php-odbc-8.0.10-1.mga8
php-readline-debuginfo-8.0.10-1.mga8
php-gmp-8.0.10-1.mga8
php-pcntl-debuginfo-8.0.10-1.mga8
php-zip-8.0.10-1.mga8
php-ldap-8.0.10-1.mga8
php-ftp-8.0.10-1.mga8
php-dba-8.0.10-1.mga8
php-pdo_odbc-debuginfo-8.0.10-1.mga8
php-iconv-8.0.10-1.mga8
php-zlib-8.0.10-1.mga8
php-enchant-debuginfo-8.0.10-1.mga8
php-sqlite3-8.0.10-1.mga8
php-snmp-8.0.10-1.mga8
php-bz2-debuginfo-8.0.10-1.mga8
php-tidy-8.0.10-1.mga8
php-xmlwriter-8.0.10-1.mga8
php-pdo_pgsql-8.0.10-1.mga8
php-filter-8.0.10-1.mga8
php-sysvmsg-debuginfo-8.0.10-1.mga8
php-ctype-debuginfo-8.0.10-1.mga8
phpdbg-8.0.10-1.mga8
php-pcntl-8.0.10-1.mga8
php-pdo_firebird-8.0.10-1.mga8
php-bcmath-8.0.10-1.mga8
php-posix-8.0.10-1.mga8
php-xmlreader-8.0.10-1.mga8
php-pdo_sqlite-8.0.10-1.mga8
php-gettext-debuginfo-8.0.10-1.mga8
php-fpm-8.0.10-1.mga8
php-xsl-8.0.10-1.mga8
php-sysvshm-debuginfo-8.0.10-1.mga8
php-cgi-8.0.10-1.mga8
php-readline-8.0.10-1.mga8
php-calendar-8.0.10-1.mga8
php-pdo_mysql-8.0.10-1.mga8
php-pdo_odbc-8.0.10-1.mga8
php-pdo_dblib-8.0.10-1.mga8
php-bz2-8.0.10-1.mga8
php-shmop-debuginfo-8.0.10-1.mga8
php-tokenizer-8.0.10-1.mga8
php-sysvsem-debuginfo-8.0.10-1.mga8
php-sysvshm-8.0.10-1.mga8
php-enchant-8.0.10-1.mga8
php-gettext-8.0.10-1.mga8
php-shmop-8.0.10-1.mga8
php-sysvmsg-8.0.10-1.mga8
php-fpm-apache-8.0.10-1.mga8
php-fpm-nginx-8.0.10-1.mga8
php-sysvsem-8.0.10-1.mga8
php-ctype-8.0.10-1.mga8
apache-mod_php-8.0.10-1.mga8
php-cli-8.0.10-1.mga8
php-opcache-debuginfo-8.0.10-1.mga8
php-fileinfo-8.0.10-1.mga8
apache-mod_php-debuginfo-8.0.10-1.mga8
php-fpm-debuginfo-8.0.10-1.mga8
php-cgi-debuginfo-8.0.10-1.mga8
php-cli-debuginfo-8.0.10-1.mga8
phpdbg-debuginfo-8.0.10-1.mga8
php-debugsource-8.0.10-1.mga8
php-devel-8.0.10-1.mga8

SPRM:
php-8.0.10-1.mga8.src.rpm

Assignee: mageia => qa-bugs

Comment 2 Herman Viaene 2021-09-18 15:36:00 CEST
MGA8-64 Plasma on Lenovo B50
Omitted alldebug stuff, then got:
Sorry, the following package annot be selected:

- php-fpm-apache-8.0.10-1.mga8.x86_64 (conflicts with apache-mod_php-8.0.10-1.mga8.x86_64)
Continued omitting- php-fpm-apache

Ref bug 25045 for tests.
Image and message display OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 3 Marc Krämer 2021-09-19 10:37:58 CEST
@herman: that is intentional. You should not run php-fpm while apache-mod is installed.
Comment 4 Thomas Andrews 2021-09-20 14:30:58 CEST
Validating. Advisory in Comment 1.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Frédéric "LpSolit" Buclin 2021-09-21 11:57:06 CEST

Summary: PHP: bugfix release 8.10.0 => PHP: bugfix release 8.0.10

Comment 5 David Walser 2021-09-21 23:36:33 CEST
Update has been replaced by 8.0.11 in updates_testing.

Whiteboard: MGA8-64-OK => (none)
Summary: PHP: bugfix release 8.0.10 => PHP: bugfix release 8.0.11
Keywords: validated_update => (none)

Comment 6 Marc Krämer 2021-09-22 00:02:33 CEST
uups. Sorry, was preparing the next version which is released today and will be announced on thursday. Thought this one was already moved....

php releases come very regulary ~ every month.
Comment 7 David Walser 2021-09-22 00:42:11 CEST
Yeah nobody has pushed any updates in a while.  We'll just have to update the advisory for this one once it is announced.
Comment 8 Marc Krämer 2021-09-22 00:45:07 CEST
yeep, waiting for the official changelog. *sorry for the confusion*

Note You need to log in before you can comment on or make changes to this bug.