New version 8.0.12 fixes issues CVE-2021-21703 https://www.php.net/ChangeLog-8.php#8.0.12
CVE: (none) => CVE-2021-21703
The fileinfo issue needs to be fixed in the file package (fixed in 5.40, Mageia 8 has 5.39).
@David: sure - but I would not call this "critical". How do we handle this? Do we file a bug against fileinfo?
Whether it's critical or not doesn't matter, but we can fix it in this bug or another one, but they should be fixed together. It probably won't be too difficult to identify the file commit that fixed it, given the information in the PHP bug.
CC: (none) => luigiwalser
I would prefer just to update file package. This can just improve things. For this specific bug, I don't see a reason to fix it. It does not effect any other packages and it is already fixed in php. It just uses too much mem.
You have to be careful updating file because it sometimes can cause regressions with one of the automated scripts run at the end of rpmbuild. We do need to fix it because our php won't use its own fixed code.
Sorry, I don't get it... build_libmagic is not defined, so we don't link against system file-package.
Why did that change? If so it can be in its own bug then, but we should still fix it. PHP fixes is probably the main way we find out about security bugs in file and libzip at least.
I haven't changed that. It is the way since I took over that package (for php 7) And I don't have the background that php is the main source for those bugs. But if it is preferred, I can try to enable file package again for the next build. (currently php does not build in cauldron anymore - looks like some compiler setting has changed)
Updated PHP package fix security vulnerability: - Possibile privilege escalation in PHP-FPM [1] - more bug fixes for php as a regular release [2] References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21703 [2] https://www.php.net/ChangeLog-8.php#8.0.12 ======================== Updated packages in core/updates_testing: ======================== php-fpm-8.0.12-1.mga8 phpdbg-8.0.12-1.mga8 php-cli-8.0.12-1.mga8 php-cgi-8.0.12-1.mga8 php-cli-debuginfo-8.0.12-1.mga8 phpdbg-debuginfo-8.0.12-1.mga8 apache-mod_php-debuginfo-8.0.12-1.mga8 php-cgi-debuginfo-8.0.12-1.mga8 php-fpm-debuginfo-8.0.12-1.mga8 php-soap-debuginfo-8.0.12-1.mga8 php-intl-debuginfo-8.0.12-1.mga8 php-opcache-8.0.12-1.mga8 php-mbstring-8.0.12-1.mga8 php-mbstring-debuginfo-8.0.12-1.mga8 php-debuginfo-8.0.12-1.mga8 php-opcache-debuginfo-8.0.12-1.mga8 php-phar-debuginfo-8.0.12-1.mga8 php-mysqlnd-debuginfo-8.0.12-1.mga8 php-openssl-debuginfo-8.0.12-1.mga8 php-dom-debuginfo-8.0.12-1.mga8 php-pgsql-debuginfo-8.0.12-1.mga8 php-intl-8.0.12-1.mga8 php-fileinfo-debuginfo-8.0.12-1.mga8 php-mysqli-debuginfo-8.0.12-1.mga8 apache-mod_php-8.0.12-1.mga8 php-curl-debuginfo-8.0.12-1.mga8 php-pdo-debuginfo-8.0.12-1.mga8 php-ini-8.0.12-1.mga8 php-soap-8.0.12-1.mga8 php-sockets-debuginfo-8.0.12-1.mga8 php-session-debuginfo-8.0.12-1.mga8 php-phar-8.0.12-1.mga8 php-mysqlnd-8.0.12-1.mga8 php-gmp-debuginfo-8.0.12-1.mga8 php-imap-debuginfo-8.0.12-1.mga8 php-gd-debuginfo-8.0.12-1.mga8 php-ldap-debuginfo-8.0.12-1.mga8 php-exif-debuginfo-8.0.12-1.mga8 php-zip-debuginfo-8.0.12-1.mga8 php-ftp-debuginfo-8.0.12-1.mga8 php-snmp-debuginfo-8.0.12-1.mga8 php-dba-debuginfo-8.0.12-1.mga8 php-sodium-debuginfo-8.0.12-1.mga8 php-openssl-8.0.12-1.mga8 php-tidy-debuginfo-8.0.12-1.mga8 php-dom-8.0.12-1.mga8 php-doc-8.0.12-1.mga8 php-filter-debuginfo-8.0.12-1.mga8 php-bcmath-debuginfo-8.0.12-1.mga8 php-sqlite3-debuginfo-8.0.12-1.mga8 php-iconv-debuginfo-8.0.12-1.mga8 php-pgsql-8.0.12-1.mga8 php-mysqli-8.0.12-1.mga8 php-odbc-debuginfo-8.0.12-1.mga8 php-posix-debuginfo-8.0.12-1.mga8 php-zlib-debuginfo-8.0.12-1.mga8 php-pdo-8.0.12-1.mga8 php-session-8.0.12-1.mga8 php-pdo_pgsql-debuginfo-8.0.12-1.mga8 php-pdo_mysql-debuginfo-8.0.12-1.mga8 php-curl-8.0.12-1.mga8 php-gd-8.0.12-1.mga8 php-pdo_firebird-debuginfo-8.0.12-1.mga8 php-sockets-8.0.12-1.mga8 php-xsl-debuginfo-8.0.12-1.mga8 php-imap-8.0.12-1.mga8 php-tokenizer-debuginfo-8.0.12-1.mga8 php-xmlwriter-debuginfo-8.0.12-1.mga8 php-pdo_sqlite-debuginfo-8.0.12-1.mga8 php-sodium-8.0.12-1.mga8 php-xmlreader-debuginfo-8.0.12-1.mga8 php-pdo_dblib-debuginfo-8.0.12-1.mga8 php-calendar-debuginfo-8.0.12-1.mga8 php-readline-debuginfo-8.0.12-1.mga8 php-exif-8.0.12-1.mga8 php-pcntl-debuginfo-8.0.12-1.mga8 php-ldap-8.0.12-1.mga8 php-zip-8.0.12-1.mga8 php-gmp-8.0.12-1.mga8 php-fileinfo-8.0.12-1.mga8 php-ftp-8.0.12-1.mga8 php-pdo_odbc-debuginfo-8.0.12-1.mga8 php-dba-8.0.12-1.mga8 php-odbc-8.0.12-1.mga8 php-sqlite3-8.0.12-1.mga8 php-bz2-debuginfo-8.0.12-1.mga8 php-zlib-8.0.12-1.mga8 php-tidy-8.0.12-1.mga8 php-snmp-8.0.12-1.mga8 php-iconv-8.0.12-1.mga8 php-enchant-debuginfo-8.0.12-1.mga8 php-bcmath-8.0.12-1.mga8 php-pdo_pgsql-8.0.12-1.mga8 php-xmlwriter-8.0.12-1.mga8 php-gettext-debuginfo-8.0.12-1.mga8 php-ctype-debuginfo-8.0.12-1.mga8 php-filter-8.0.12-1.mga8 php-pdo_sqlite-8.0.12-1.mga8 php-pcntl-8.0.12-1.mga8 php-pdo_firebird-8.0.12-1.mga8 php-posix-8.0.12-1.mga8 php-sysvmsg-debuginfo-8.0.12-1.mga8 php-xmlreader-8.0.12-1.mga8 php-pdo_dblib-8.0.12-1.mga8 php-xsl-8.0.12-1.mga8 php-readline-8.0.12-1.mga8 php-calendar-8.0.12-1.mga8 php-pdo_mysql-8.0.12-1.mga8 php-sysvshm-debuginfo-8.0.12-1.mga8 php-bz2-8.0.12-1.mga8 php-tokenizer-8.0.12-1.mga8 php-enchant-8.0.12-1.mga8 php-shmop-debuginfo-8.0.12-1.mga8 php-sysvsem-debuginfo-8.0.12-1.mga8 php-pdo_odbc-8.0.12-1.mga8 php-shmop-8.0.12-1.mga8 php-gettext-8.0.12-1.mga8 php-sysvshm-8.0.12-1.mga8 php-sysvmsg-8.0.12-1.mga8 php-sysvsem-8.0.12-1.mga8 php-fpm-apache-8.0.12-1.mga8 php-fpm-nginx-8.0.12-1.mga8 php-ctype-8.0.12-1.mga8 php-debugsource-8.0.12-1.mga8 php-devel-8.0.12-1.mga8 SRPM: php-8.0.12-1.mga8.src.rpm
Assignee: mageia => qa-bugs
Blocks: (none) => 29594
MGA8-64 Plasma on Lenovo B50 Omitted alldebug stuff installation had no issues. Ref bug 25045 for testing. Made sure httpd is running, then with php folder and its test files under myhome folder Documenten. $ php -S localhost:8000 -t php [Wed Oct 27 11:18:12 2021] PHP 8.0.12 Development Server (http://localhost:8000) started then pointing browser to https://localhost:8000/create-png.php displays image OK and http://localhost:8000/sample.php displays the captain's message OK AFAICS good enough.
CC: (none) => herman.viaene
More info on the php-fpm security fix: https://www.openwall.com/lists/oss-security/2021/10/26/7
puh. who has time to read this? Maybe it is interesting what was the problem - but this article is way to long.
LOL, well it's more information than we need right now, but it's there if anyone is interested. I'm just sharing the reference.
can we push it?
I'm not a php programmer, but as far as the test goes, and as in previous updates, I'll OK it.
Whiteboard: (none) => MGA8-64-OK
Installed and tested without issues. Using php-fpm instead of mod_php. Tested several scripts (e.g. phpmyadmin, roundcubemail, wordpress, drupal, several custom). Tested HTTP 1.1, HTTP 2, TLS and CLI. System: Mageia 8, x86_64, Intel CPU. $ uname -a Linux marte 5.10.75-desktop-1.mga8 #1 SMP Wed Oct 20 10:23:35 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep php.*8\\.0 | sort apache-mod_php-8.0.12-1.mga8 php-bz2-8.0.12-1.mga8 php-cli-8.0.12-1.mga8 php-ctype-8.0.12-1.mga8 php-curl-8.0.12-1.mga8 php-dom-8.0.12-1.mga8 php-exif-8.0.12-1.mga8 php-fileinfo-8.0.12-1.mga8 php-filter-8.0.12-1.mga8 php-fpm-8.0.12-1.mga8 php-ftp-8.0.12-1.mga8 php-gd-8.0.12-1.mga8 php-gettext-8.0.12-1.mga8 php-iconv-8.0.12-1.mga8 php-imap-8.0.12-1.mga8 php-ini-8.0.12-1.mga8 php-intl-8.0.12-1.mga8 php-ldap-8.0.12-1.mga8 php-mbstring-8.0.12-1.mga8 php-mysqli-8.0.12-1.mga8 php-mysqlnd-8.0.12-1.mga8 php-openssl-8.0.12-1.mga8 php-pdo-8.0.12-1.mga8 php-pdo_mysql-8.0.12-1.mga8 php-pdo_sqlite-8.0.12-1.mga8 php-posix-8.0.12-1.mga8 php-session-8.0.12-1.mga8 php-sockets-8.0.12-1.mga8 php-sysvsem-8.0.12-1.mga8 php-sysvshm-8.0.12-1.mga8 php-tokenizer-8.0.12-1.mga8 php-xmlreader-8.0.12-1.mga8 php-xmlwriter-8.0.12-1.mga8 php-zip-8.0.12-1.mga8 php-zlib-8.0.12-1.mga8 $ systemctl status httpd.socket php-fpm.socket httpd.service php-fpm.service ● httpd.socket - httpd server activation socket Loaded: loaded (/usr/local/lib/systemd/system/httpd.socket; enabled; vendor preset: disabled) Active: active (running) since Sat 2021-10-30 11:02:33 WEST; 4min 7s ago Triggers: ● httpd.service Listen: [::]:80 (Stream) [::]:443 (Stream) Tasks: 0 (limit: 4691) Memory: 12.0K CPU: 2ms CGroup: /system.slice/httpd.socket out 30 11:02:33 marte systemd[1]: Listening on httpd server activation socket. ● php-fpm.socket - php-fpm Server Socket Loaded: loaded (/usr/local/lib/systemd/system/php-fpm.socket; enabled; vendor preset: disabled) Active: inactive (dead) since Sat 2021-10-30 11:03:11 WEST; 3min 30s ago Triggers: ● php-fpm.service Listen: /var/lib/php-fpm/php-fpm.sock (Stream) out 30 11:02:33 marte systemd[1]: Listening on php-fpm Server Socket. out 30 11:03:11 marte systemd[1]: php-fpm.socket: Succeeded. out 30 11:03:11 marte systemd[1]: Closed php-fpm Server Socket. ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: active (running) since Sat 2021-10-30 11:03:11 WEST; 3min 31s ago TriggeredBy: ● httpd.socket Main PID: 2442 (httpd) Status: "Total requests: 3; Idle/Busy workers 100/0;Requests/sec: 0.0144; Bytes served/sec: 501 B/sec" Tasks: 54 (limit: 4691) Memory: 34.0M CPU: 135ms CGroup: /system.slice/httpd.service ├─2442 /usr/sbin/httpd -DFOREGROUND ├─2443 /usr/sbin/httpd -DFOREGROUND └─2444 /usr/sbin/httpd -DFOREGROUND out 30 11:03:11 marte systemd[1]: Starting The Apache HTTP Server... out 30 11:03:11 marte systemd[1]: Started The Apache HTTP Server. ● php-fpm.service - The PHP FastCGI Process Manager Loaded: loaded (/usr/lib/systemd/system/php-fpm.service; disabled; vendor preset: disabled) Active: active (running) since Sat 2021-10-30 11:03:12 WEST; 3min 30s ago TriggeredBy: ● php-fpm.socket Main PID: 2497 (php-fpm) Status: "Processes active: 0, idle: 2, Requests: 1, slow: 0, Traffic: 0req/sec" Tasks: 3 (limit: 4691) Memory: 50.1M CPU: 184ms CGroup: /system.slice/php-fpm.service ├─2497 php-fpm: master process (/etc/php-fpm.conf) ├─2503 php-fpm: pool www └─2518 php-fpm: pool www
CC: (none) => mageia
Validating. Looks like the advisory is in Comment 9.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0501.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
puh. who has time to read this? http://localhost:8000/sample.php https://octordle.io
CC: (none) => Justinmachany932