Bug 32158 - PHP version 8.0.30
Summary: PHP version 8.0.30
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-08-05 10:51 CEST by Marc Krämer
Modified: 2023-08-23 21:58 CEST (History)
5 users (show)

See Also:
Source RPM: php
CVE: CVE-2023-3824, CVE-2023-3823
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Marc Krämer 2023-08-05 10:51:25 CEST 
https://www.php.net/ChangeLog-8.php#8.0.30
Marc Krämer 2023-08-05 10:51:38 CEST

CVE: (none) => CVE-2023-3824, CVE-2023-3823

David Walser 2023-08-05 18:58:22 CEST

Summary: new version 8.0.30 => PHP version 8.0.30

Comment 1 David Walser 2023-08-05 18:59:18 CEST 
Libxml:
Fixed bug GHSA-3qrf-m4j2-pcrr (Security issue with external entity loading in XML without enabling it). (CVE-2023-3823)
Phar:
Fixed bug GHSA-jqcx-ccgc-xwhv (Buffer mismanagement in phar_dir_read()). (CVE-2023-3824)

CC: (none) => luigiwalser

Comment 2 Marc Krämer 2023-08-06 11:15:42 CEST 
Updated php fixes security issues:

Libxml:
- Fixed bug GHSA-3qrf-m4j2-pcrr (Security issue with external entity loading in XML without enabling it). (CVE-2023-3823)

Phar:
- Fixed bug GHSA-jqcx-ccgc-xwhv (Buffer mismanagement in phar_dir_read()). (CVE-2023-3824)

References:
https://www.php.net/ChangeLog-8.php#8.0.30
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3823
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3824
========================

Updated packages in core/updates_testing:
========================
php-dom-debuginfo-8.0.30-1.mga8
php-mbstring-8.0.30-1.mga8
php-phar-debuginfo-8.0.30-1.mga8
php-debuginfo-8.0.30-1.mga8
php-mysqlnd-debuginfo-8.0.30-1.mga8
php-openssl-debuginfo-8.0.30-1.mga8
php-mbstring-debuginfo-8.0.30-1.mga8
php-pgsql-debuginfo-8.0.30-1.mga8
php-opcache-8.0.30-1.mga8
php-intl-8.0.30-1.mga8
php-mysqli-debuginfo-8.0.30-1.mga8
php-fileinfo-debuginfo-8.0.30-1.mga8
php-ini-8.0.30-1.mga8
php-sockets-debuginfo-8.0.30-1.mga8
php-curl-debuginfo-8.0.30-1.mga8
php-intl-debuginfo-8.0.30-1.mga8
php-soap-debuginfo-8.0.30-1.mga8
php-pdo-debuginfo-8.0.30-1.mga8
php-soap-8.0.30-1.mga8
php-session-debuginfo-8.0.30-1.mga8
php-phar-8.0.30-1.mga8
php-mysqlnd-8.0.30-1.mga8
php-gmp-debuginfo-8.0.30-1.mga8
php-imap-debuginfo-8.0.30-1.mga8
php-gd-debuginfo-8.0.30-1.mga8
php-ldap-debuginfo-8.0.30-1.mga8
php-sodium-debuginfo-8.0.30-1.mga8
php-snmp-debuginfo-8.0.30-1.mga8
php-exif-debuginfo-8.0.30-1.mga8
php-ftp-debuginfo-8.0.30-1.mga8
php-zip-debuginfo-8.0.30-1.mga8
php-dba-debuginfo-8.0.30-1.mga8
php-doc-8.0.30-1.mga8.noarch.rpm
php-openssl-8.0.30-1.mga8
php-dom-8.0.30-1.mga8
php-mysqli-8.0.30-1.mga8
php-iconv-debuginfo-8.0.30-1.mga8
php-tidy-debuginfo-8.0.30-1.mga8
php-bcmath-debuginfo-8.0.30-1.mga8
php-sqlite3-debuginfo-8.0.30-1.mga8
php-filter-debuginfo-8.0.30-1.mga8
php-odbc-debuginfo-8.0.30-1.mga8
php-pgsql-8.0.30-1.mga8
php-curl-8.0.30-1.mga8
php-posix-debuginfo-8.0.30-1.mga8
php-session-8.0.30-1.mga8
php-pdo-8.0.30-1.mga8
php-gd-8.0.30-1.mga8
php-pdo_mysql-debuginfo-8.0.30-1.mga8
php-pdo_pgsql-debuginfo-8.0.30-1.mga8
php-zlib-debuginfo-8.0.30-1.mga8
php-pdo_firebird-debuginfo-8.0.30-1.mga8
php-pdo_sqlite-debuginfo-8.0.30-1.mga8
php-xsl-debuginfo-8.0.30-1.mga8
php-calendar-debuginfo-8.0.30-1.mga8
php-xmlwriter-debuginfo-8.0.30-1.mga8
php-sockets-8.0.30-1.mga8
php-tokenizer-debuginfo-8.0.30-1.mga8
php-xmlreader-debuginfo-8.0.30-1.mga8
php-imap-8.0.30-1.mga8
php-sodium-8.0.30-1.mga8
php-exif-8.0.30-1.mga8
php-gmp-8.0.30-1.mga8
php-ldap-8.0.30-1.mga8
php-zip-8.0.30-1.mga8
php-pcntl-debuginfo-8.0.30-1.mga8
php-ftp-8.0.30-1.mga8
php-odbc-8.0.30-1.mga8
php-pdo_dblib-debuginfo-8.0.30-1.mga8
php-readline-debuginfo-8.0.30-1.mga8
php-iconv-8.0.30-1.mga8
php-zlib-8.0.30-1.mga8
php-dba-8.0.30-1.mga8
php-tidy-8.0.30-1.mga8
php-sqlite3-8.0.30-1.mga8
php-snmp-8.0.30-1.mga8
php-pdo_odbc-debuginfo-8.0.30-1.mga8
php-enchant-debuginfo-8.0.30-1.mga8
php-bz2-debuginfo-8.0.30-1.mga8
php-pdo_pgsql-8.0.30-1.mga8
php-bcmath-8.0.30-1.mga8
php-sysvmsg-debuginfo-8.0.30-1.mga8
php-posix-8.0.30-1.mga8
php-xmlreader-8.0.30-1.mga8
php-ctype-debuginfo-8.0.30-1.mga8
php-pcntl-8.0.30-1.mga8
php-filter-8.0.30-1.mga8
php-xmlwriter-8.0.30-1.mga8
php-gettext-debuginfo-8.0.30-1.mga8
php-pdo_firebird-8.0.30-1.mga8
php-readline-8.0.30-1.mga8
php-pdo_dblib-8.0.30-1.mga8
php-pdo_sqlite-8.0.30-1.mga8
php-tokenizer-8.0.30-1.mga8
php-pdo_mysql-8.0.30-1.mga8
php-calendar-8.0.30-1.mga8
php-bz2-8.0.30-1.mga8
php-xsl-8.0.30-1.mga8
php-shmop-debuginfo-8.0.30-1.mga8
php-cgi-8.0.30-1.mga8
php-sysvshm-debuginfo-8.0.30-1.mga8
php-enchant-8.0.30-1.mga8
php-shmop-8.0.30-1.mga8
php-sysvshm-8.0.30-1.mga8
php-cli-8.0.30-1.mga8
php-pdo_odbc-8.0.30-1.mga8
php-gettext-8.0.30-1.mga8
php-sysvsem-debuginfo-8.0.30-1.mga8
php-sysvsem-8.0.30-1.mga8
php-sysvmsg-8.0.30-1.mga8
php-fpm-apache-8.0.30-1.mga8
php-ctype-8.0.30-1.mga8
php-fpm-nginx-8.0.30-1.mga8
php-fpm-8.0.30-1.mga8
phpdbg-8.0.30-1.mga8
apache-mod_php-8.0.30-1.mga8
php-opcache-debuginfo-8.0.30-1.mga8
php-fileinfo-8.0.30-1.mga8
php-fpm-debuginfo-8.0.30-1.mga8
apache-mod_php-debuginfo-8.0.30-1.mga8
php-cli-debuginfo-8.0.30-1.mga8
phpdbg-debuginfo-8.0.30-1.mga8
php-cgi-debuginfo-8.0.30-1.mga8
php-debugsource-8.0.30-1.mga8
php-devel-8.0.30-1.mga8

SRPM:
php-8.0.30-1.mga8.src.rpm

Assignee: mageia => qa-bugs

Comment 3 Herman Viaene 2023-08-12 11:41:02 CEST 
Using QARepo I get loads of this stuff when selecting packages:
The following packages have to be removed for others to be upgraded:
php-bcmath-8.0.29-1.mga8.x86_64
 (due to unsatisfied php-common == 3:8.0)
php-calendar-8.0.29-1.mga8.x86_64
 (due to unsatisfied php-common == 3:8.0)
etc.....
and then clicking OK
Sorry, the following package cannot be selected:

- php-bz2-8.0.30-1.mga8.x86_64 (due to conflicts with php-bz2-8.1.18-1.mga8.x86_64)
This is the story of the unselected backport repos again??

CC: (none) => herman.viaene

Comment 4 Marc Krämer 2023-08-12 11:56:06 CEST 
I guess it is
Comment 5 Herman Viaene 2023-08-12 12:16:03 CEST 
MGA8-64 MATE on Acer Aspire 5253
Updated using MCC - Update your system.
Refer to bug 31180 for testing:
$ php -S localhost:8000 -t php
[Sat Aug 12 11:57:57 2023] PHP 8.0.30 Development Server (http://localhost:8000) started
Then pointing firefox to http://localhost:8000/create-png.php and http://localhost:8000/sample.php displays correct image and text message.
Works OK and get feedback at the CLI:
[Sat Aug 12 11:58:07 2023] [::1]:49890 Accepted
[Sat Aug 12 11:58:08 2023] [::1]:49890 [200]: GET /create-png.php
[Sat Aug 12 11:58:08 2023] [::1]:49890 Closing
[Sat Aug 12 11:58:10 2023] [::1]:49896 Accepted
[Sat Aug 12 11:58:10 2023] [::1]:49896 [404]: GET /favicon.ico - No such file or directory
[Sat Aug 12 11:58:10 2023] [::1]:49896 Closing
[Sat Aug 12 11:58:15 2023] [::1]:34116 Accepted
[Sat Aug 12 11:58:15 2023] [::1]:34116 [200]: GET /sample.php
[Sat Aug 12 11:58:15 2023] [::1]:34116 Closing

Make sure httpd and mysqld are running, then start phpmyadmin, login,  delete old database testphp8029, create a new database testphp8030 and create a new table with PK and unique key and timestamp and insert some values.
All works OK, good to go.

Whiteboard: (none) => MGA8-64-OK

Comment 6 Thomas Andrews 2023-08-12 14:23:00 CEST 
Validating. Advisory information in comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-08-20 21:14:05 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 7 Mageia Robot 2023-08-23 21:58:24 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0248.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.