Security Fix: https://www.php.net/ChangeLog-8.php#8.0.28
CVE: (none) => CVE-2023-0662
CVE: CVE-2023-0662 => CVE-2023-0662,CVE-2023-0567,CVE-2023-0568
Updated php package fix security vulnerabilities: Core: - Fixed bug #81744 (Password_verify() always return true with some hash). - Fixed bug #81746 (1-byte array overrun in common path resolve code). SAPI: - Fixed bug GHSA-54hq-v5wp-fqgv (DOS vulnerability when parsing multipart request body). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0662 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0567 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0568 https://www.php.net/ChangeLog-8.php#8.0.28 ======================== Updated packages in core/updates_testing: ======================== php-cgi-8.0.28-1.mga8 php-cli-8.0.28-1.mga8 phpdbg-8.0.28-1.mga8 php-fpm-8.0.28-1.mga8 php-opcache-debuginfo-8.0.28-1.mga8 php-soap-debuginfo-8.0.28-1.mga8 php-intl-debuginfo-8.0.28-1.mga8 php-opcache-8.0.28-1.mga8 php-mbstring-debuginfo-8.0.28-1.mga8 php-mbstring-8.0.28-1.mga8 php-debuginfo-8.0.28-1.mga8 php-openssl-debuginfo-8.0.28-1.mga8 php-phar-debuginfo-8.0.28-1.mga8 php-mysqlnd-debuginfo-8.0.28-1.mga8 php-pgsql-debuginfo-8.0.28-1.mga8 apache-mod_php-8.0.28-1.mga8 php-dom-debuginfo-8.0.28-1.mga8 php-intl-8.0.28-1.mga8 php-fileinfo-debuginfo-8.0.28-1.mga8 php-curl-debuginfo-8.0.28-1.mga8 php-pdo-debuginfo-8.0.28-1.mga8 php-mysqli-debuginfo-8.0.28-1.mga8 php-ini-8.0.28-1.mga8 php-sockets-debuginfo-8.0.28-1.mga8 php-session-debuginfo-8.0.28-1.mga8 php-soap-8.0.28-1.mga8 php-phar-8.0.28-1.mga8 php-mysqlnd-8.0.28-1.mga8 php-gmp-debuginfo-8.0.28-1.mga8 php-imap-debuginfo-8.0.28-1.mga8 php-gd-debuginfo-8.0.28-1.mga8 php-ldap-debuginfo-8.0.28-1.mga8 php-exif-debuginfo-8.0.28-1.mga8 php-ftp-debuginfo-8.0.28-1.mga8 php-zip-debuginfo-8.0.28-1.mga8 php-snmp-debuginfo-8.0.28-1.mga8 php-sodium-debuginfo-8.0.28-1.mga8 php-dba-debuginfo-8.0.28-1.mga8 php-openssl-8.0.28-1.mga8 php-doc-8.0.28-1.mga8 php-tidy-debuginfo-8.0.28-1.mga8 php-dom-8.0.28-1.mga8 php-filter-debuginfo-8.0.28-1.mga8 php-bcmath-debuginfo-8.0.28-1.mga8 php-sqlite3-debuginfo-8.0.28-1.mga8 php-odbc-debuginfo-8.0.28-1.mga8 php-iconv-debuginfo-8.0.28-1.mga8 php-mysqli-8.0.28-1.mga8 php-pgsql-8.0.28-1.mga8 php-posix-debuginfo-8.0.28-1.mga8 php-pdo_pgsql-debuginfo-8.0.28-1.mga8 php-pdo-8.0.28-1.mga8 php-zlib-debuginfo-8.0.28-1.mga8 php-session-8.0.28-1.mga8 php-pdo_mysql-debuginfo-8.0.28-1.mga8 php-gd-8.0.28-1.mga8 php-curl-8.0.28-1.mga8 php-pdo_firebird-debuginfo-8.0.28-1.mga8 php-sockets-8.0.28-1.mga8 php-xsl-debuginfo-8.0.28-1.mga8 php-pdo_sqlite-debuginfo-8.0.28-1.mga8 php-imap-8.0.28-1.mga8 php-xmlwriter-debuginfo-8.0.28-1.mga8 php-tokenizer-debuginfo-8.0.28-1.mga8 php-calendar-debuginfo-8.0.28-1.mga8 php-xmlreader-debuginfo-8.0.28-1.mga8 php-sodium-8.0.28-1.mga8 php-pdo_dblib-debuginfo-8.0.28-1.mga8 php-readline-debuginfo-8.0.28-1.mga8 php-exif-8.0.28-1.mga8 php-ldap-8.0.28-1.mga8 php-fileinfo-8.0.28-1.mga8 php-gmp-8.0.28-1.mga8 php-zip-8.0.28-1.mga8 php-pcntl-debuginfo-8.0.28-1.mga8 php-dba-8.0.28-1.mga8 php-ftp-8.0.28-1.mga8 php-pdo_odbc-debuginfo-8.0.28-1.mga8 php-odbc-8.0.28-1.mga8 php-sqlite3-8.0.28-1.mga8 php-snmp-8.0.28-1.mga8 php-enchant-debuginfo-8.0.28-1.mga8 php-bz2-debuginfo-8.0.28-1.mga8 php-tidy-8.0.28-1.mga8 php-zlib-8.0.28-1.mga8 php-filter-8.0.28-1.mga8 php-xmlwriter-8.0.28-1.mga8 php-iconv-8.0.28-1.mga8 php-pdo_pgsql-8.0.28-1.mga8 php-ctype-debuginfo-8.0.28-1.mga8 php-posix-8.0.28-1.mga8 php-pcntl-8.0.28-1.mga8 php-gettext-debuginfo-8.0.28-1.mga8 php-sysvmsg-debuginfo-8.0.28-1.mga8 php-bcmath-8.0.28-1.mga8 php-readline-8.0.28-1.mga8 php-xmlreader-8.0.28-1.mga8 php-pdo_sqlite-8.0.28-1.mga8 php-pdo_firebird-8.0.28-1.mga8 php-xsl-8.0.28-1.mga8 php-calendar-8.0.28-1.mga8 php-sysvshm-debuginfo-8.0.28-1.mga8 php-bz2-8.0.28-1.mga8 php-pdo_mysql-8.0.28-1.mga8 php-pdo_dblib-8.0.28-1.mga8 php-tokenizer-8.0.28-1.mga8 php-pdo_odbc-8.0.28-1.mga8 php-sysvsem-debuginfo-8.0.28-1.mga8 php-shmop-debuginfo-8.0.28-1.mga8 php-enchant-8.0.28-1.mga8 php-sysvshm-8.0.28-1.mga8 php-shmop-8.0.28-1.mga8 php-sysvsem-8.0.28-1.mga8 php-ctype-8.0.28-1.mga8 php-sysvmsg-8.0.28-1.mga8 php-gettext-8.0.28-1.mga8 php-fpm-nginx-8.0.28-1.mga8 php-fpm-apache-8.0.28-1.mga8 phpdbg-debuginfo-8.0.28-1.mga8 apache-mod_php-debuginfo-8.0.28-1.mga8 php-cgi-debuginfo-8.0.28-1.mga8 php-fpm-debuginfo-8.0.28-1.mga8 php-cli-debuginfo-8.0.28-1.mga8 php-debugsource-8.0.28-1.mga8 php-devel-8.0.28-1.mga8 SRPM: php-8.0.28-1.mga8.src.rpm
Assignee: mageia => qa-bugs
Make sure to include the CVEs in the advisory text (and that way people will know which CVE corresponds to which bug).
@David: 3 fixed bugs, 3 advisories....
(In reply to Marc Krämer from comment #3) > @David: 3 fixed bugs, 3 advisories.... That's not helpful. Please follow each security bug description with the CVE in parentheses, in all advisories.
Marc, here's the advisory with the cve ids in the description. Updated php package fix security vulnerabilities: Core: - Fixed bug #81744 (Password_verify() always return true with some hash). (CVE-2023-0567) - Fixed bug #81746 (1-byte array overrun in common path resolve code). (CVE-2023-0568) SAPI: - Fixed bug GHSA-54hq-v5wp-fqgv (DOS vulnerability when parsing multipart request body). (CVE-2023-0662) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0662 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0567 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0568 https://www.php.net/ChangeLog-8.php#8.0.28 ======================== Having the cve ids in the description as well as the references allows readers to know which bug description is for which cve id. As the mitre site currently just returns "RESERVED" for all three, figuring out which cve is for which bug comes from https://www.php.net/ChangeLog-8.php#8.0.28 for CVE-2023-0662 https://bugs.php.net/bug.php?id=81744 for CVE-2023-0567 https://bugs.php.net/bug.php?id=81746 for CVE-2023-0568
CC: (none) => davidwhodgins
yeah, they were only written for 8.2.3 - and I've added the advisory before. And as I said, it is just 3 major bugs closed with 3 advisories.
Just please follow that format in the future.
MGA8-64 MATE on Acer Aspire 5253 No installation issues Refer to bug 31180 for testing: $ php -S localhost:8000 -t php [Tue Feb 21 14:18:28 2023] PHP 8.0.28 Development Server (http://localhost:8000) started Then pointing firefox to http://localhost:8000/create-png.php and http://localhost:8000/sample.php displays correct image and text message. Works OK and get feedback at the CLI: [Tue Feb 21 14:18:34 2023] [::1]:37476 Accepted [Tue Feb 21 14:18:34 2023] [::1]:37476 [200]: GET /create-png.php [Tue Feb 21 14:18:34 2023] [::1]:37476 Closing [Tue Feb 21 14:18:40 2023] [::1]:52166 Accepted [Tue Feb 21 14:18:41 2023] [::1]:52166 [200]: GET /sample.php [Tue Feb 21 14:18:41 2023] [::1]:52166 Closing Make sure httpd and mysqld are running, then start phpmyadmin, login, delete the previous test database testphp8027, create a new database testphp8028 and create a new table with PK and unique key and timestamp and insert some values. All works OK, good to go.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA8-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0065.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED