a new release is in town which fixes some heap-/buffer-overflows: https://www.php.net/ChangeLog-8.php#8.0.10
Updated php packages fix security vulnerabilities: - Integer overflow in mysqli_real_escape_string() - Symlinks are followed when creating PHAR archive - shmop can't read beyond 2147483647 bytes - Integer overflow on substr_replace - Heap buffer overflow via str_repeat References: https://www.php.net/ChangeLog-8.php#8.0.10 ======================== Updated packages in core/updates_testing: ======================== php-openssl-debuginfo-8.0.10-1.mga8 php-dom-debuginfo-8.0.10-1.mga8 php-mysqlnd-debuginfo-8.0.10-1.mga8 php-phar-debuginfo-8.0.10-1.mga8 php-debuginfo-8.0.10-1.mga8 php-mbstring-8.0.10-1.mga8 php-mbstring-debuginfo-8.0.10-1.mga8 php-opcache-8.0.10-1.mga8 php-pgsql-debuginfo-8.0.10-1.mga8 php-curl-debuginfo-8.0.10-1.mga8 php-mysqli-debuginfo-8.0.10-1.mga8 php-intl-debuginfo-8.0.10-1.mga8 php-sockets-debuginfo-8.0.10-1.mga8 php-ini-8.0.10-1.mga8 php-soap-debuginfo-8.0.10-1.mga8 php-session-debuginfo-8.0.10-1.mga8 php-intl-8.0.10-1.mga8 php-fileinfo-debuginfo-8.0.10-1.mga8 php-pdo-debuginfo-8.0.10-1.mga8 php-soap-8.0.10-1.mga8 php-mysqlnd-8.0.10-1.mga8 php-phar-8.0.10-1.mga8 php-imap-debuginfo-8.0.10-1.mga8 php-gmp-debuginfo-8.0.10-1.mga8 php-gd-debuginfo-8.0.10-1.mga8 php-zip-debuginfo-8.0.10-1.mga8 php-ldap-debuginfo-8.0.10-1.mga8 php-exif-debuginfo-8.0.10-1.mga8 php-snmp-debuginfo-8.0.10-1.mga8 php-ftp-debuginfo-8.0.10-1.mga8 php-dba-debuginfo-8.0.10-1.mga8 php-tidy-debuginfo-8.0.10-1.mga8 php-openssl-8.0.10-1.mga8 php-sodium-debuginfo-8.0.10-1.mga8 php-doc-8.0.10-1.mga8 php-dom-8.0.10-1.mga8 php-bcmath-debuginfo-8.0.10-1.mga8 php-mysqli-8.0.10-1.mga8 php-sqlite3-debuginfo-8.0.10-1.mga8 php-filter-debuginfo-8.0.10-1.mga8 php-odbc-debuginfo-8.0.10-1.mga8 php-iconv-debuginfo-8.0.10-1.mga8 php-zlib-debuginfo-8.0.10-1.mga8 php-pgsql-8.0.10-1.mga8 php-posix-debuginfo-8.0.10-1.mga8 php-pdo-8.0.10-1.mga8 php-pdo_pgsql-debuginfo-8.0.10-1.mga8 php-curl-8.0.10-1.mga8 php-session-8.0.10-1.mga8 php-pdo_mysql-debuginfo-8.0.10-1.mga8 php-gd-8.0.10-1.mga8 php-xsl-debuginfo-8.0.10-1.mga8 php-pdo_firebird-debuginfo-8.0.10-1.mga8 php-sockets-8.0.10-1.mga8 php-pdo_sqlite-debuginfo-8.0.10-1.mga8 php-imap-8.0.10-1.mga8 php-calendar-debuginfo-8.0.10-1.mga8 php-xmlwriter-debuginfo-8.0.10-1.mga8 php-tokenizer-debuginfo-8.0.10-1.mga8 php-sodium-8.0.10-1.mga8 php-xmlreader-debuginfo-8.0.10-1.mga8 php-pdo_dblib-debuginfo-8.0.10-1.mga8 php-exif-8.0.10-1.mga8 php-odbc-8.0.10-1.mga8 php-readline-debuginfo-8.0.10-1.mga8 php-gmp-8.0.10-1.mga8 php-pcntl-debuginfo-8.0.10-1.mga8 php-zip-8.0.10-1.mga8 php-ldap-8.0.10-1.mga8 php-ftp-8.0.10-1.mga8 php-dba-8.0.10-1.mga8 php-pdo_odbc-debuginfo-8.0.10-1.mga8 php-iconv-8.0.10-1.mga8 php-zlib-8.0.10-1.mga8 php-enchant-debuginfo-8.0.10-1.mga8 php-sqlite3-8.0.10-1.mga8 php-snmp-8.0.10-1.mga8 php-bz2-debuginfo-8.0.10-1.mga8 php-tidy-8.0.10-1.mga8 php-xmlwriter-8.0.10-1.mga8 php-pdo_pgsql-8.0.10-1.mga8 php-filter-8.0.10-1.mga8 php-sysvmsg-debuginfo-8.0.10-1.mga8 php-ctype-debuginfo-8.0.10-1.mga8 phpdbg-8.0.10-1.mga8 php-pcntl-8.0.10-1.mga8 php-pdo_firebird-8.0.10-1.mga8 php-bcmath-8.0.10-1.mga8 php-posix-8.0.10-1.mga8 php-xmlreader-8.0.10-1.mga8 php-pdo_sqlite-8.0.10-1.mga8 php-gettext-debuginfo-8.0.10-1.mga8 php-fpm-8.0.10-1.mga8 php-xsl-8.0.10-1.mga8 php-sysvshm-debuginfo-8.0.10-1.mga8 php-cgi-8.0.10-1.mga8 php-readline-8.0.10-1.mga8 php-calendar-8.0.10-1.mga8 php-pdo_mysql-8.0.10-1.mga8 php-pdo_odbc-8.0.10-1.mga8 php-pdo_dblib-8.0.10-1.mga8 php-bz2-8.0.10-1.mga8 php-shmop-debuginfo-8.0.10-1.mga8 php-tokenizer-8.0.10-1.mga8 php-sysvsem-debuginfo-8.0.10-1.mga8 php-sysvshm-8.0.10-1.mga8 php-enchant-8.0.10-1.mga8 php-gettext-8.0.10-1.mga8 php-shmop-8.0.10-1.mga8 php-sysvmsg-8.0.10-1.mga8 php-fpm-apache-8.0.10-1.mga8 php-fpm-nginx-8.0.10-1.mga8 php-sysvsem-8.0.10-1.mga8 php-ctype-8.0.10-1.mga8 apache-mod_php-8.0.10-1.mga8 php-cli-8.0.10-1.mga8 php-opcache-debuginfo-8.0.10-1.mga8 php-fileinfo-8.0.10-1.mga8 apache-mod_php-debuginfo-8.0.10-1.mga8 php-fpm-debuginfo-8.0.10-1.mga8 php-cgi-debuginfo-8.0.10-1.mga8 php-cli-debuginfo-8.0.10-1.mga8 phpdbg-debuginfo-8.0.10-1.mga8 php-debugsource-8.0.10-1.mga8 php-devel-8.0.10-1.mga8 SPRM: php-8.0.10-1.mga8.src.rpm
Assignee: mageia => qa-bugs
MGA8-64 Plasma on Lenovo B50 Omitted alldebug stuff, then got: Sorry, the following package annot be selected: - php-fpm-apache-8.0.10-1.mga8.x86_64 (conflicts with apache-mod_php-8.0.10-1.mga8.x86_64) Continued omitting- php-fpm-apache Ref bug 25045 for tests. Image and message display OK.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA8-64-OK
@herman: that is intentional. You should not run php-fpm while apache-mod is installed.
Validating. Advisory in Comment 1.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Summary: PHP: bugfix release 8.10.0 => PHP: bugfix release 8.0.10
Update has been replaced by 8.0.11 in updates_testing.
Summary: PHP: bugfix release 8.0.10 => PHP: bugfix release 8.0.11Keywords: validated_update => (none)Whiteboard: MGA8-64-OK => (none)
uups. Sorry, was preparing the next version which is released today and will be announced on thursday. Thought this one was already moved.... php releases come very regulary ~ every month.
Yeah nobody has pushed any updates in a while. We'll just have to update the advisory for this one once it is announced.
yeep, waiting for the official changelog. *sorry for the confusion*
Updated php packages fix security vulnerabilities: - Integer overflow in mysqli_real_escape_string() - Symlinks are followed when creating PHAR archive - shmop can't read beyond 2147483647 bytes - Integer overflow on substr_replace - Heap buffer overflow via str_repeat - Integer Overflow when concatenating strings - segfault with preloading and statically bound closure - shmop_open won't attach and causes php to crash - Heap Overflow in msg_send - ZipArchive::extractTo extracts outside of destination References: https://www.php.net/ChangeLog-8.php#8.0.11 ======================== Updated packages in core/updates_testing: ======================== php-openssl-debuginfo-8.0.11-1.mga8 php-dom-debuginfo-8.0.11-1.mga8 php-mysqlnd-debuginfo-8.0.11-1.mga8 php-phar-debuginfo-8.0.11-1.mga8 php-debuginfo-8.0.11-1.mga8 php-mbstring-8.0.11-1.mga8 php-mbstring-debuginfo-8.0.11-1.mga8 php-opcache-8.0.11-1.mga8 php-pgsql-debuginfo-8.0.11-1.mga8 php-curl-debuginfo-8.0.11-1.mga8 php-mysqli-debuginfo-8.0.11-1.mga8 php-intl-debuginfo-8.0.11-1.mga8 php-sockets-debuginfo-8.0.11-1.mga8 php-ini-8.0.11-1.mga8 php-soap-debuginfo-8.0.11-1.mga8 php-session-debuginfo-8.0.11-1.mga8 php-intl-8.0.11-1.mga8 php-fileinfo-debuginfo-8.0.11-1.mga8 php-pdo-debuginfo-8.0.11-1.mga8 php-soap-8.0.11-1.mga8 php-mysqlnd-8.0.11-1.mga8 php-phar-8.0.11-1.mga8 php-imap-debuginfo-8.0.11-1.mga8 php-gmp-debuginfo-8.0.11-1.mga8 php-gd-debuginfo-8.0.11-1.mga8 php-zip-debuginfo-8.0.11-1.mga8 php-ldap-debuginfo-8.0.11-1.mga8 php-exif-debuginfo-8.0.11-1.mga8 php-snmp-debuginfo-8.0.11-1.mga8 php-ftp-debuginfo-8.0.11-1.mga8 php-dba-debuginfo-8.0.11-1.mga8 php-tidy-debuginfo-8.0.11-1.mga8 php-openssl-8.0.11-1.mga8 php-sodium-debuginfo-8.0.11-1.mga8 php-doc-8.0.11-1.mga8 php-dom-8.0.11-1.mga8 php-bcmath-debuginfo-8.0.11-1.mga8 php-mysqli-8.0.11-1.mga8 php-sqlite3-debuginfo-8.0.11-1.mga8 php-filter-debuginfo-8.0.11-1.mga8 php-odbc-debuginfo-8.0.11-1.mga8 php-iconv-debuginfo-8.0.11-1.mga8 php-zlib-debuginfo-8.0.11-1.mga8 php-pgsql-8.0.11-1.mga8 php-posix-debuginfo-8.0.11-1.mga8 php-pdo-8.0.11-1.mga8 php-pdo_pgsql-debuginfo-8.0.11-1.mga8 php-curl-8.0.11-1.mga8 php-session-8.0.11-1.mga8 php-pdo_mysql-debuginfo-8.0.11-1.mga8 php-gd-8.0.11-1.mga8 php-xsl-debuginfo-8.0.11-1.mga8 php-pdo_firebird-debuginfo-8.0.11-1.mga8 php-sockets-8.0.11-1.mga8 php-pdo_sqlite-debuginfo-8.0.11-1.mga8 php-imap-8.0.11-1.mga8 php-calendar-debuginfo-8.0.11-1.mga8 php-xmlwriter-debuginfo-8.0.11-1.mga8 php-tokenizer-debuginfo-8.0.11-1.mga8 php-sodium-8.0.11-1.mga8 php-xmlreader-debuginfo-8.0.11-1.mga8 php-pdo_dblib-debuginfo-8.0.11-1.mga8 php-exif-8.0.11-1.mga8 php-odbc-8.0.11-1.mga8 php-readline-debuginfo-8.0.11-1.mga8 php-gmp-8.0.11-1.mga8 php-pcntl-debuginfo-8.0.11-1.mga8 php-zip-8.0.11-1.mga8 php-ldap-8.0.11-1.mga8 php-ftp-8.0.11-1.mga8 php-dba-8.0.11-1.mga8 php-pdo_odbc-debuginfo-8.0.11-1.mga8 php-iconv-8.0.11-1.mga8 php-zlib-8.0.11-1.mga8 php-enchant-debuginfo-8.0.11-1.mga8 php-sqlite3-8.0.11-1.mga8 php-snmp-8.0.11-1.mga8 php-bz2-debuginfo-8.0.11-1.mga8 php-tidy-8.0.11-1.mga8 php-xmlwriter-8.0.11-1.mga8 php-pdo_pgsql-8.0.11-1.mga8 php-filter-8.0.11-1.mga8 php-sysvmsg-debuginfo-8.0.11-1.mga8 php-ctype-debuginfo-8.0.11-1.mga8 phpdbg-8.0.11-1.mga8 php-pcntl-8.0.11-1.mga8 php-pdo_firebird-8.0.11-1.mga8 php-bcmath-8.0.11-1.mga8 php-posix-8.0.11-1.mga8 php-xmlreader-8.0.11-1.mga8 php-pdo_sqlite-8.0.11-1.mga8 php-gettext-debuginfo-8.0.11-1.mga8 php-fpm-8.0.11-1.mga8 php-xsl-8.0.11-1.mga8 php-sysvshm-debuginfo-8.0.11-1.mga8 php-cgi-8.0.11-1.mga8 php-readline-8.0.11-1.mga8 php-calendar-8.0.11-1.mga8 php-pdo_mysql-8.0.11-1.mga8 php-pdo_odbc-8.0.11-1.mga8 php-pdo_dblib-8.0.11-1.mga8 php-bz2-8.0.11-1.mga8 php-shmop-debuginfo-8.0.11-1.mga8 php-tokenizer-8.0.11-1.mga8 php-sysvsem-debuginfo-8.0.11-1.mga8 php-sysvshm-8.0.11-1.mga8 php-enchant-8.0.11-1.mga8 php-gettext-8.0.11-1.mga8 php-shmop-8.0.11-1.mga8 php-sysvmsg-8.0.11-1.mga8 php-fpm-apache-8.0.11-1.mga8 php-fpm-nginx-8.0.11-1.mga8 php-sysvsem-8.0.11-1.mga8 php-ctype-8.0.11-1.mga8 apache-mod_php-8.0.11-1.mga8 php-cli-8.0.11-1.mga8 php-opcache-debuginfo-8.0.11-1.mga8 php-fileinfo-8.0.11-1.mga8 apache-mod_php-debuginfo-8.0.11-1.mga8 php-fpm-debuginfo-8.0.11-1.mga8 php-cgi-debuginfo-8.0.11-1.mga8 php-cli-debuginfo-8.0.11-1.mga8 phpdbg-debuginfo-8.0.11-1.mga8 php-debugsource-8.0.11-1.mga8 php-devel-8.0.11-1.mga8 SPRM: php-8.0.11-1.mga8.src.rpm
Repeated tests as in Comment 2 Image and message display OK.
Whiteboard: (none) => MGA8-64-OK
Validating once more. Advisory information in Comment 9.
Keywords: (none) => validated_update
(In reply to David Walser from comment #7) > Yeah nobody has pushed any updates in a while. We'll just have to update > the advisory for this one once it is announced. yeah, looks like almost no-one cares about adding advisories so why should I...
Keywords: (none) => advisory
Yeah, and I hope you didn't take that as a criticism of you. I'm disappointed that we haven't gotten more people to step up and help with it. It's not that difficult to do, and when this system of pushing updates was first devised, the SVN advisories were supposed to be a QA responsibility, but it ended up mostly falling on you.
what are you talking about, there is an advisory given.
Packagers writing an advisory is just the first step. Then we have a place in SVN where they are committed in a YAML format. This needs to be done before sysadmins can push an update. QA or Packagers can do it, but most of the time, they don't. A new Bugsquad guy was doing it for a while, but he went on a long vacation or something.
ah. Thanks David. I haven't had the time to get to know the details about the exact system and how it works.
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0442.html
Status: NEW => RESOLVEDResolution: (none) => FIXED