31551 – PHP:security issues 8.1.16 Mageia 8 Backport

Bug 31551 - PHP:security issues 8.1.16 Mageia 8 Backport

Summary: PHP:security issues 8.1.16 Mageia 8 Backport

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Backports (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:

URL:
Whiteboard:	MGA8-64-OK
Keywords:	validated_backport

Depends on:
Blocks:

Reported:	2023-02-15 14:29 CET by Marc Krämer
Modified:	2023-02-27 23:25 CET (History)
CC List:	2 users (show)

See Also:
Source RPM:	php 8.1.16 mga8
CVE:	CVE-2023-0567,CVE-2023-0568,CVE-2023-0662
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Marc Krämer 2023-02-15 14:29:13 CET

https://www.php.net/ChangeLog-8.php#8.1.16

Marc Krämer 2023-02-15 14:29:35 CET

CVE: (none) => CVE-2023-0567,CVE-2023-0568,CVE-2023-0662

David Walser 2023-02-15 15:07:08 CET

QA Contact: security => (none)
Component: Security => Backports

Comment 1 Lewis Smith 2023-02-15 20:55:54 CET

Do not understand DavidW's juggling above, but you know what you are doing.

Marc, you seem to be the packager responsible for this; so assigning it to you, but you will doubtless re-assign it if necessary.

Source RPM: php => php 8.1.16 mga8
Summary: PHP:security 8.1.16 => PHP:security issues 8.1.16 Mageia 8 Backport
Assignee: bugsquad => mageia

Comment 2 Marc Krämer 2023-02-15 21:54:29 CET

I assume, because it is backports, it should not be in security, even when it is a security issue.
I still don't understand why we distinguish between core security and backports. In my understanding backports is even worse, since it is designed for cherry picking the security announces are more relevant than for core, as they are fixed through regular updates.

Assignee: mageia => qa-bugs

Comment 3 Marc Krämer 2023-02-15 21:56:51 CET

SRPM: php-8.1.16-1.mga8.src.rpm

updates in core/backports_testing:
php-cgi-8.1.16-1.mga8
php-cli-8.1.16-1.mga8
php-fpm-8.1.16-1.mga8
phpdbg-8.1.16-1.mga8
php-intl-debuginfo-8.1.16-1.mga8
php-soap-debuginfo-8.1.16-1.mga8
php-mbstring-debuginfo-8.1.16-1.mga8
php-debuginfo-8.1.16-1.mga8
php-opcache-debuginfo-8.1.16-1.mga8
php-mbstring-8.1.16-1.mga8
php-opcache-8.1.16-1.mga8
php-phar-debuginfo-8.1.16-1.mga8
php-openssl-debuginfo-8.1.16-1.mga8
php-dom-debuginfo-8.1.16-1.mga8
php-fileinfo-debuginfo-8.1.16-1.mga8
apache-mod_php-8.1.16-1.mga8
php-mysqli-debuginfo-8.1.16-1.mga8
php-mysqlnd-debuginfo-8.1.16-1.mga8
php-intl-8.1.16-1.mga8
php-pdo-debuginfo-8.1.16-1.mga8
php-pgsql-debuginfo-8.1.16-1.mga8
php-curl-debuginfo-8.1.16-1.mga8
php-fileinfo-8.1.16-1.mga8
php-soap-8.1.16-1.mga8
php-ini-8.1.16-1.mga8
php-sockets-debuginfo-8.1.16-1.mga8
php-session-debuginfo-8.1.16-1.mga8
php-phar-8.1.16-1.mga8
php-imap-debuginfo-8.1.16-1.mga8
php-gd-debuginfo-8.1.16-1.mga8
php-ldap-debuginfo-8.1.16-1.mga8
php-gmp-debuginfo-8.1.16-1.mga8
php-mysqlnd-8.1.16-1.mga8
php-dba-debuginfo-8.1.16-1.mga8
php-sodium-debuginfo-8.1.16-1.mga8
php-snmp-debuginfo-8.1.16-1.mga8
php-zip-debuginfo-8.1.16-1.mga8
php-exif-debuginfo-8.1.16-1.mga8
php-dom-8.1.16-1.mga8
php-openssl-8.1.16-1.mga8
php-ftp-debuginfo-8.1.16-1.mga8
php-tidy-debuginfo-8.1.16-1.mga8
php-sqlite3-debuginfo-8.1.16-1.mga8
php-doc-8.1.16-1.mga8
php-mysqli-8.1.16-1.mga8
php-bcmath-debuginfo-8.1.16-1.mga8
php-filter-debuginfo-8.1.16-1.mga8
php-iconv-debuginfo-8.1.16-1.mga8
php-odbc-debuginfo-8.1.16-1.mga8
php-pgsql-8.1.16-1.mga8
php-zlib-debuginfo-8.1.16-1.mga8
php-posix-debuginfo-8.1.16-1.mga8
php-pdo_pgsql-debuginfo-8.1.16-1.mga8
php-pdo-8.1.16-1.mga8
php-xmlreader-debuginfo-8.1.16-1.mga8
php-session-8.1.16-1.mga8
php-curl-8.1.16-1.mga8
php-pdo_mysql-debuginfo-8.1.16-1.mga8
php-gd-8.1.16-1.mga8
php-imap-8.1.16-1.mga8
php-xsl-debuginfo-8.1.16-1.mga8
php-pdo_firebird-debuginfo-8.1.16-1.mga8
php-pdo_sqlite-debuginfo-8.1.16-1.mga8
php-sockets-8.1.16-1.mga8
php-sodium-8.1.16-1.mga8
php-calendar-debuginfo-8.1.16-1.mga8
php-xmlwriter-debuginfo-8.1.16-1.mga8
php-tokenizer-debuginfo-8.1.16-1.mga8
php-exif-8.1.16-1.mga8
php-pcntl-debuginfo-8.1.16-1.mga8
php-ldap-8.1.16-1.mga8
php-pdo_dblib-debuginfo-8.1.16-1.mga8
php-readline-debuginfo-8.1.16-1.mga8
php-odbc-8.1.16-1.mga8
php-ftp-8.1.16-1.mga8
php-gmp-8.1.16-1.mga8
php-zip-8.1.16-1.mga8
php-pdo_odbc-debuginfo-8.1.16-1.mga8
php-dba-8.1.16-1.mga8
php-snmp-8.1.16-1.mga8
php-tidy-8.1.16-1.mga8
php-sqlite3-8.1.16-1.mga8
php-bz2-debuginfo-8.1.16-1.mga8
php-iconv-8.1.16-1.mga8
php-filter-8.1.16-1.mga8
php-zlib-8.1.16-1.mga8
php-pdo_pgsql-8.1.16-1.mga8
php-enchant-debuginfo-8.1.16-1.mga8
php-pcntl-8.1.16-1.mga8
php-xmlreader-8.1.16-1.mga8
php-sysvmsg-debuginfo-8.1.16-1.mga8
php-gettext-debuginfo-8.1.16-1.mga8
php-xmlwriter-8.1.16-1.mga8
php-pdo_firebird-8.1.16-1.mga8
php-pdo_sqlite-8.1.16-1.mga8
php-readline-8.1.16-1.mga8
php-posix-8.1.16-1.mga8
php-bcmath-8.1.16-1.mga8
php-pdo_odbc-8.1.16-1.mga8
php-calendar-8.1.16-1.mga8
php-xsl-8.1.16-1.mga8
php-pdo_mysql-8.1.16-1.mga8
php-sysvshm-debuginfo-8.1.16-1.mga8
php-pdo_dblib-8.1.16-1.mga8
php-bz2-8.1.16-1.mga8
php-sysvsem-debuginfo-8.1.16-1.mga8
php-tokenizer-8.1.16-1.mga8
php-shmop-debuginfo-8.1.16-1.mga8
php-shmop-8.1.16-1.mga8
php-ctype-debuginfo-8.1.16-1.mga8
php-sysvmsg-8.1.16-1.mga8
php-enchant-8.1.16-1.mga8
php-sysvshm-8.1.16-1.mga8
php-fpm-nginx-8.1.16-1.mga8
php-fpm-apache-8.1.16-1.mga8
php-ctype-8.1.16-1.mga8
php-sysvsem-8.1.16-1.mga8
php-gettext-8.1.16-1.mga8
php-cli-debuginfo-8.1.16-1.mga8
php-fpm-debuginfo-8.1.16-1.mga8
phpdbg-debuginfo-8.1.16-1.mga8
apache-mod_php-debuginfo-8.1.16-1.mga8
php-cgi-debuginfo-8.1.16-1.mga8
php-debugsource-8.1.16-1.mga8
php-devel-8.1.16-1.mga8

Comment 4 PC LX 2023-02-22 12:18:25 CET

Installed and tested without issues.

This update has been in use for about a week without issue.

Using php-fpm instead of mod_php, systemd socket activated.

Tested phpmyadmin, nextcloud, wordpress, drupal, roundcubemail, mediawiki and more.
Tested HTTP 1.1, HTTP 2, TLS and CLI.
Tested xdebug with netbeans.

No regressions found.



System: Mageia 8, x86_64, Apache HTTPD, Intel CPU.



$ uname -a
Linux jupiter 6.1.6-desktop-1.mga8 #1 SMP PREEMPT_DYNAMIC Sat Jan 14 13:18:00 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep php.*8\\.1 | sort
apache-mod_php-8.1.16-1.mga8
php-bcmath-8.1.16-1.mga8
php-bz2-8.1.16-1.mga8
php-cli-8.1.16-1.mga8
php-ctype-8.1.16-1.mga8
php-curl-8.1.16-1.mga8
php-dom-8.1.16-1.mga8
php-exif-8.1.16-1.mga8
php-fileinfo-8.1.16-1.mga8
php-filter-8.1.16-1.mga8
php-fpm-8.1.16-1.mga8
php-gd-8.1.16-1.mga8
php-gmp-8.1.16-1.mga8
php-iconv-8.1.16-1.mga8
php-imap-8.1.16-1.mga8
php-ini-8.1.16-1.mga8
php-intl-8.1.16-1.mga8
php-ldap-8.1.16-1.mga8
php-mbstring-8.1.16-1.mga8
php-mysqli-8.1.16-1.mga8
php-mysqlnd-8.1.16-1.mga8
php-opcache-8.1.16-1.mga8
php-openssl-8.1.16-1.mga8
php-pdo-8.1.16-1.mga8
php-pdo_mysql-8.1.16-1.mga8
php-posix-8.1.16-1.mga8
php-session-8.1.16-1.mga8
php-sockets-8.1.16-1.mga8
php-sodium-8.1.16-1.mga8
php-sysvsem-8.1.16-1.mga8
php-sysvshm-8.1.16-1.mga8
php-tokenizer-8.1.16-1.mga8
php-xmlreader-8.1.16-1.mga8
php-xmlwriter-8.1.16-1.mga8
php-zip-8.1.16-1.mga8
php-zlib-8.1.16-1.mga8
# systemctl status httpd.socket php-fpm.socket httpd.service php-fpm.service
● httpd.socket - httpd server activation socket
     Loaded: loaded (/usr/local/lib/systemd/system/httpd.socket; enabled; vendor preset: disabled)
     Active: active (running) since Wed 2023-02-22 09:46:44 WET; 1h 30min ago
   Triggers: ● httpd.service
     Listen: [::]:80 (Stream)
             [::]:443 (Stream)
      Tasks: 0 (limit: 37625)
     Memory: 8.0K
        CPU: 461us
     CGroup: /system.slice/httpd.socket

fev 22 09:46:44 jupiter systemd[1]: Listening on httpd server activation socket.

● php-fpm.socket - php-fpm Server Socket
     Loaded: loaded (/usr/local/lib/systemd/system/php-fpm.socket; enabled; vendor preset: disabled)
     Active: inactive (dead) since Wed 2023-02-22 11:06:34 WET; 11min ago
   Triggers: ● php-fpm.service
     Listen: /run/php-fpm/php-fpm.socket (Stream)

fev 22 09:46:44 jupiter systemd[1]: Listening on php-fpm Server Socket.
fev 22 11:06:34 jupiter systemd[1]: php-fpm.socket: Succeeded.
fev 22 11:06:34 jupiter systemd[1]: Closed php-fpm Server Socket.

● httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
     Active: active (running) since Wed 2023-02-22 10:28:38 WET; 48min ago
TriggeredBy: ● httpd.socket
   Main PID: 7385 (httpd)
     Status: "Total requests: 2060; Idle/Busy workers 100/0;Requests/sec: 0.703; Bytes served/sec:  21KB/sec"
      Tasks: 54 (limit: 37625)
     Memory: 99.9M
        CPU: 1.169s
     CGroup: /system.slice/httpd.service
             ├─7385 /usr/sbin/httpd -DFOREGROUND
             ├─7386 /usr/sbin/httpd -DFOREGROUND
             └─7387 /usr/sbin/httpd -DFOREGROUND

fev 22 10:28:38 jupiter systemd[1]: Starting The Apache HTTP Server...
fev 22 10:28:38 jupiter systemd[1]: Started The Apache HTTP Server.
<SNIP>

● php-fpm.service - The PHP FastCGI Process Manager
     Loaded: loaded (/usr/lib/systemd/system/php-fpm.service; disabled; vendor preset: disabled)
     Active: active (running) since Wed 2023-02-22 11:06:34 WET; 11min ago
TriggeredBy: ● php-fpm.socket
   Main PID: 10675 (php-fpm)
     Status: "Processes active: 0, idle: 1, Requests: 359, slow: 0, Traffic: 0.1req/sec"
      Tasks: 2 (limit: 37625)
     Memory: 173.0M
        CPU: 44.613s
     CGroup: /system.slice/php-fpm.service
             ├─10675 php-fpm: master process (/etc/php-fpm.conf)
             └─13208 php-fpm: pool www

<SNIP>

CC: (none) => mageia

Comment 5 PC LX 2023-02-24 17:33:30 CET

This update has been working for more than a week without issues, so I'm going to give it a OK. Please undo if needed.

Whiteboard: (none) => MGA8-64-OK

Comment 6 Thomas Andrews 2023-02-25 17:36:39 CET

Validating.

Keywords: (none) => validated_backport
CC: (none) => andrewsfarm

Comment 7 Thomas Backlund 2023-02-27 23:25:02 CET

moved

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.