security update of php: https://www.php.net/ChangeLog-8.php#8.0.25
Updated php package fix security vulnerabilities: An new update has been released [1] GD: - Fixed bug #81739: OOB read due to insufficient input validation in imageloadfont(). [2] Hash: - Fixed bug #81738: buffer overflow in hash_update() on long parameter.[3] Session: - Fixed bug GH-9583 (session_create_id() fails with user defined save handler that doesn't have a validateId() method). Streams: - Fixed bug GH-9590 (stream_select does not abort upon exception or empty valid fd set) References: [1] https://www.php.net/ChangeLog-8.php#8.0.25 [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37454 [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31630 ======================== Updated packages in core/updates_testing: ======================== php-dom-debuginfo-8.0.25-1.mga8 php-openssl-debuginfo-8.0.25-1.mga8 php-debuginfo-8.0.25-1.mga8 php-phar-debuginfo-8.0.25-1.mga8 php-mysqlnd-debuginfo-8.0.25-1.mga8 php-mbstring-8.0.25-1.mga8 php-mbstring-debuginfo-8.0.25-1.mga8 php-pgsql-debuginfo-8.0.25-1.mga8 php-opcache-8.0.25-1.mga8 php-fileinfo-debuginfo-8.0.25-1.mga8 php-pdo-debuginfo-8.0.25-1.mga8 php-intl-8.0.25-1.mga8 php-curl-debuginfo-8.0.25-1.mga8 php-mysqli-debuginfo-8.0.25-1.mga8 php-ini-8.0.25-1.mga8 php-sockets-debuginfo-8.0.25-1.mga8 php-intl-debuginfo-8.0.25-1.mga8 php-soap-debuginfo-8.0.25-1.mga8 php-session-debuginfo-8.0.25-1.mga8 php-phar-8.0.25-1.mga8 php-mysqlnd-8.0.25-1.mga8 php-gmp-debuginfo-8.0.25-1.mga8 php-imap-debuginfo-8.0.25-1.mga8 php-soap-8.0.25-1.mga8 php-gd-debuginfo-8.0.25-1.mga8 php-ldap-debuginfo-8.0.25-1.mga8 php-zip-debuginfo-8.0.25-1.mga8 php-exif-debuginfo-8.0.25-1.mga8 php-doc-8.0.25-1.mga8 php-dba-debuginfo-8.0.25-1.mga8 php-ftp-debuginfo-8.0.25-1.mga8 php-snmp-debuginfo-8.0.25-1.mga8 php-openssl-8.0.25-1.mga8 php-tidy-debuginfo-8.0.25-1.mga8 php-sodium-debuginfo-8.0.25-1.mga8 php-dom-8.0.25-1.mga8 php-pgsql-8.0.25-1.mga8 php-bcmath-debuginfo-8.0.25-1.mga8 php-filter-debuginfo-8.0.25-1.mga8 php-zlib-debuginfo-8.0.25-1.mga8 php-mysqli-8.0.25-1.mga8 php-odbc-debuginfo-8.0.25-1.mga8 php-iconv-debuginfo-8.0.25-1.mga8 php-sqlite3-debuginfo-8.0.25-1.mga8 php-posix-debuginfo-8.0.25-1.mga8 php-pdo_pgsql-debuginfo-8.0.25-1.mga8 php-pdo-8.0.25-1.mga8 php-curl-8.0.25-1.mga8 php-gd-8.0.25-1.mga8 php-pdo_sqlite-debuginfo-8.0.25-1.mga8 php-xsl-debuginfo-8.0.25-1.mga8 php-session-8.0.25-1.mga8 php-pdo_firebird-debuginfo-8.0.25-1.mga8 php-sockets-8.0.25-1.mga8 php-pdo_mysql-debuginfo-8.0.25-1.mga8 php-imap-8.0.25-1.mga8 php-exif-8.0.25-1.mga8 php-ldap-8.0.25-1.mga8 php-sodium-8.0.25-1.mga8 php-calendar-debuginfo-8.0.25-1.mga8 php-pdo_dblib-debuginfo-8.0.25-1.mga8 php-xmlreader-debuginfo-8.0.25-1.mga8 php-readline-debuginfo-8.0.25-1.mga8 php-xmlwriter-debuginfo-8.0.25-1.mga8 php-tokenizer-debuginfo-8.0.25-1.mga8 php-gmp-8.0.25-1.mga8 php-tidy-8.0.25-1.mga8 php-dba-8.0.25-1.mga8 php-odbc-8.0.25-1.mga8 php-pdo_odbc-debuginfo-8.0.25-1.mga8 php-sqlite3-8.0.25-1.mga8 php-ftp-8.0.25-1.mga8 php-bz2-debuginfo-8.0.25-1.mga8 php-pcntl-debuginfo-8.0.25-1.mga8 php-zip-8.0.25-1.mga8 php-snmp-8.0.25-1.mga8 php-iconv-8.0.25-1.mga8 php-bcmath-8.0.25-1.mga8 php-filter-8.0.25-1.mga8 php-pdo_pgsql-8.0.25-1.mga8 php-zlib-8.0.25-1.mga8 php-gettext-debuginfo-8.0.25-1.mga8 php-xmlwriter-8.0.25-1.mga8 php-enchant-debuginfo-8.0.25-1.mga8 php-ctype-debuginfo-8.0.25-1.mga8 php-sysvmsg-debuginfo-8.0.25-1.mga8 php-posix-8.0.25-1.mga8 php-xsl-8.0.25-1.mga8 php-sysvshm-debuginfo-8.0.25-1.mga8 php-readline-8.0.25-1.mga8 php-xmlreader-8.0.25-1.mga8 php-calendar-8.0.25-1.mga8 php-pdo_firebird-8.0.25-1.mga8 php-pcntl-8.0.25-1.mga8 php-pdo_sqlite-8.0.25-1.mga8 php-pdo_mysql-8.0.25-1.mga8 php-sysvshm-8.0.25-1.mga8 php-sysvmsg-8.0.25-1.mga8 php-bz2-8.0.25-1.mga8 php-pdo_odbc-8.0.25-1.mga8 php-pdo_dblib-8.0.25-1.mga8 php-enchant-8.0.25-1.mga8 php-shmop-debuginfo-8.0.25-1.mga8 php-tokenizer-8.0.25-1.mga8 php-sysvsem-debuginfo-8.0.25-1.mga8 php-shmop-8.0.25-1.mga8 php-fpm-nginx-8.0.25-1.mga8 php-fpm-apache-8.0.25-1.mga8 php-ctype-8.0.25-1.mga8 php-sysvsem-8.0.25-1.mga8 php-gettext-8.0.25-1.mga8 php-cgi-8.0.25-1.mga8 phpdbg-8.0.25-1.mga8 php-cli-8.0.25-1.mga8 php-fpm-8.0.25-1.mga8 apache-mod_php-8.0.25-1.mga8 php-opcache-debuginfo-8.0.25-1.mga8 php-fileinfo-8.0.25-1.mga8 apache-mod_php-debuginfo-8.0.25-1.mga8 php-cgi-debuginfo-8.0.25-1.mga8 php-fpm-debuginfo-8.0.25-1.mga8 phpdbg-debuginfo-8.0.25-1.mga8 php-cli-debuginfo-8.0.25-1.mga8 php-debugsource-8.0.25-1.mga8 php-devel-8.0.25-1.mga8 SRPM: php-8.0.25-1.mga8.src.rpm
CVE: (none) => CVE-2022-37454, CVE-2022-31630Assignee: mageia => qa-bugs
Make sure to include the CVEs in the advisory. If CVE-2022-31630 also affects libgd, we need to fix it there.
Hi Mark, I'm getting bad links when I pick an 8.025 php object. The system has 8.0.24 installed currently. I pick one 8.0.25 object and the following appears. To satisfy dependencies, the following package(s) also need to be installed: - apache-mod_php-8.1.11-1.mga8.x86_64 - php-apcu-5.1.21-4.mga8.x86_64 - php-bcmath-8.1.11-1.mga8.x86_64 - php-bz2-8.1.11-1.mga8.x86_64 - php-cgi-8.1.11-1.mga8.x86_64 - php-cli-8.1.11-1.mga8.x86_64 - php-ctype-8.1.11-1.mga8.x86_64 - php-curl-8.1.11-1.mga8.x86_64 - php-dom-8.1.11-1.mga8.x86_64 - php-exif-8.1.11-1.mga8.x86_64 - php-fileinfo-8.1.11-1.mga8.x86_64 - php-filter-8.1.11-1.mga8.x86_64 - php-gd-8.1.11-1.mga8.x86_64 - php-gmp-8.1.11-1.mga8.x86_64 - php-iconv-8.1.11-1.mga8.x86_64 - php-imagick-3.6.0-0.3.mga8.x86_64 - php-ini-8.1.11-1.mga8.x86_64 - php-intl-8.1.11-1.mga8.x86_64 - php-ldap-8.1.11-1.mga8.x86_64 - php-mbstring-8.1.11-1.mga8.x86_64 - php-mysqlnd-8.1.11-1.mga8.x86_64 - php-opcache-8.1.11-1.mga8.x86_64 - php-openssl-8.1.11-1.mga8.x86_64 - php-pcntl-8.1.11-1.mga8.x86_64 - php-pdo-8.1.11-1.mga8.x86_64 - php-pdo_mysql-8.1.11-1.mga8.x86_64 - php-posix-8.1.11-1.mga8.x86_64 - php-session-8.1.11-1.mga8.x86_64 - php-sodium-8.1.11-1.mga8.x86_64 - php-sysvsem-8.1.11-1.mga8.x86_64 - php-sysvshm-8.1.11-1.mga8.x86_64 - php-tokenizer-8.1.11-1.mga8.x86_64 - php-xmlreader-8.1.11-1.mga8.x86_64 - php-xmlwriter-8.1.11-1.mga8.x86_64 - php-zip-8.1.11-1.mga8.x86_64 - php-zlib-8.1.11-1.mga8.x86_64 Is this a bad link or something wonky on my side?
CC: (none) => brtians1
this looks like the backports "bug" in urpmi. Once backports was enabled urpmi tries to get updates from there. I think the soulution was, to remove the backports repo before update? @David: do u remember ? for gd: no, this is in handling of fonts loaded by php; this is not in the library.
(In reply to Brian Rockwell from comment #3) > Hi Mark, > I'm getting bad links when I pick an 8.025 php object. The system has > 8.0.24 installed currently. > > I pick one 8.0.25 object and the following appears. > > To satisfy dependencies, the following package(s) also need to be installed: > > - apache-mod_php-8.1.11-1.mga8.x86_64 <snip list> > Is this a bad link or something wonky on my side? http://mirror.math.princeton.edu/pub/mageia/distrib/8/x86_64/media/core/backports/apache-mod_php-8.1.11-1.mga8.x86_64.rpm It's the backports bug. Workaround is to run "urpmi.removemedia -y Back". Delete and re-add all media anytime you want to test backports.
CC: (none) => davidwhodgins
Thanks Marc and Dave, Yup wonky on my end. Removing Backports worked MGA8-64, Xfce, AMD A4 apu # uname -a Linux localhost 5.15.74-server-1.mga8 #1 SMP Sat Oct 15 19:40:42 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux This is a test nextcloud server The following 34 packages are going to be installed: - apache-mod_php-8.0.25-1.mga8.x86_64 - php-bcmath-8.0.25-1.mga8.x86_64 - php-bz2-8.0.25-1.mga8.x86_64 - php-cgi-8.0.25-1.mga8.x86_64 - php-cli-8.0.25-1.mga8.x86_64 - php-ctype-8.0.25-1.mga8.x86_64 - php-curl-8.0.25-1.mga8.x86_64 - php-dom-8.0.25-1.mga8.x86_64 - php-exif-8.0.25-1.mga8.x86_64 - php-fileinfo-8.0.25-1.mga8.x86_64 - php-filter-8.0.25-1.mga8.x86_64 - php-gd-8.0.25-1.mga8.x86_64 - php-gmp-8.0.25-1.mga8.x86_64 - php-iconv-8.0.25-1.mga8.x86_64 - php-ini-8.0.25-1.mga8.x86_64 - php-intl-8.0.25-1.mga8.x86_64 - php-ldap-8.0.25-1.mga8.x86_64 - php-mbstring-8.0.25-1.mga8.x86_64 - php-mysqlnd-8.0.25-1.mga8.x86_64 - php-opcache-8.0.25-1.mga8.x86_64 - php-openssl-8.0.25-1.mga8.x86_64 - php-pcntl-8.0.25-1.mga8.x86_64 - php-pdo-8.0.25-1.mga8.x86_64 - php-pdo_mysql-8.0.25-1.mga8.x86_64 - php-posix-8.0.25-1.mga8.x86_64 - php-session-8.0.25-1.mga8.x86_64 - php-sodium-8.0.25-1.mga8.x86_64 - php-sysvsem-8.0.25-1.mga8.x86_64 - php-sysvshm-8.0.25-1.mga8.x86_64 - php-tokenizer-8.0.25-1.mga8.x86_64 - php-xmlreader-8.0.25-1.mga8.x86_64 - php-xmlwriter-8.0.25-1.mga8.x86_64 - php-zip-8.0.25-1.mga8.x86_64 - php-zlib-8.0.25-1.mga8.x86_64 664B of additional disk space will be used. 7.4MB of packages will be retrieved. Is it ok to continue? -- restarted machine nextcloud working as expected.
Whiteboard: (none) => MGA8-64-OK
Waiting less and less patiently for that backports bug to get fixed. But I wander off-topic... Validating. Advisory in Comment 1, with more information in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0406.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED