Bug 33094 - PHP Backport 8.3.6 (security update)
Summary: PHP Backport 8.3.6 (security update)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Backports (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: https://www.php.net/ChangeLog-8.php#8...
Whiteboard: MGA9-64-OK
Keywords: validated_backport
Depends on:
Blocks:
 
Reported: 2024-04-11 20:48 CEST by Marc Krämer
Modified: 2024-04-18 21:12 CEST (History)
4 users (show)

See Also:
Source RPM: php
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Marc Krämer 2024-04-11 20:48:50 CEST 
https://www.php.net/ChangeLog-8.php#8.3.6
Comment 1 Marc Krämer 2024-04-11 20:52:40 CEST 
https://www.php.net/ChangeLog-8.php#8.3.6
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1874 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2756
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3096



Updated packages in core/backports_testing:
========================
php8.3-fpm-debuginfo-8.3.6-1.mga9
phpdbg8.3-debuginfo-8.3.6-1.mga9
php8.3-cli-debuginfo-8.3.6-1.mga9
php8.3-cgi-debuginfo-8.3.6-1.mga9
php8.3-fpm-8.3.6-1.mga9
phpdbg8.3-8.3.6-1.mga9
apache-mod_php8.3-debuginfo-8.3.6-1.mga9
php8.3-cli-8.3.6-1.mga9
php8.3-cgi-8.3.6-1.mga9
php-debugsource-8.3.6-1.mga9
php8.3-opcache-debuginfo-8.3.6-1.mga9
apache-mod_php8.3-8.3.6-1.mga9
php8.3-intl-debuginfo-8.3.6-1.mga9
php-debuginfo-8.3.6-1.mga9
php8.3-mbstring-debuginfo-8.3.6-1.mga9
php8.3-soap-debuginfo-8.3.6-1.mga9
php8.3-fileinfo-8.3.6-1.mga9
php8.3-mbstring-8.3.6-1.mga9
php8.3-intl-8.3.6-1.mga9
php8.3-dom-debuginfo-8.3.6-1.mga9
php8.3-opcache-8.3.6-1.mga9
php8.3-phar-debuginfo-8.3.6-1.mga9
php8.3-openssl-debuginfo-8.3.6-1.mga9
php8.3-mysqlnd-debuginfo-8.3.6-1.mga9
php8.3-soap-8.3.6-1.mga9
php8.3-mysqli-debuginfo-8.3.6-1.mga9
php8.3-phar-8.3.6-1.mga9
php8.3-pdo-debuginfo-8.3.6-1.mga9
php8.3-pgsql-debuginfo-8.3.6-1.mga9
php8.3-fileinfo-debuginfo-8.3.6-1.mga9
php8.3-session-debuginfo-8.3.6-1.mga9
php8.3-curl-debuginfo-8.3.6-1.mga9
php8.3-dom-8.3.6-1.mga9
php8.3-mysqlnd-8.3.6-1.mga9
php8.3-ini-8.3.6-1.mga9
php8.3-sockets-debuginfo-8.3.6-1.mga9
php8.3-openssl-8.3.6-1.mga9
php8.3-zip-debuginfo-8.3.6-1.mga9
php8.3-sodium-debuginfo-8.3.6-1.mga9
php8.3-gd-debuginfo-8.3.6-1.mga9
php8.3-dba-debuginfo-8.3.6-1.mga9
php8.3-ldap-debuginfo-8.3.6-1.mga9
php8.3-imap-debuginfo-8.3.6-1.mga9
php8.3-gmp-debuginfo-8.3.6-1.mga9
php8.3-snmp-debuginfo-8.3.6-1.mga9
php8.3-sqlite3-debuginfo-8.3.6-1.mga9
php8.3-mysqli-8.3.6-1.mga9
php8.3-devel-8.3.6-1.mga9
php8.3-tidy-debuginfo-8.3.6-1.mga9
php8.3-exif-debuginfo-8.3.6-1.mga9
php8.3-pdo-8.3.6-1.mga9
php8.3-pgsql-8.3.6-1.mga9
php8.3-session-8.3.6-1.mga9
php8.3-posix-debuginfo-8.3.6-1.mga9
php8.3-filter-debuginfo-8.3.6-1.mga9
php8.3-curl-8.3.6-1.mga9
php8.3-ftp-debuginfo-8.3.6-1.mga9
php8.3-odbc-debuginfo-8.3.6-1.mga9
php8.3-sodium-8.3.6-1.mga9
php8.3-bcmath-debuginfo-8.3.6-1.mga9
php8.3-gd-8.3.6-1.mga9
php8.3-sockets-8.3.6-1.mga9
php8.3-iconv-debuginfo-8.3.6-1.mga9
php8.3-imap-8.3.6-1.mga9
php8.3-pcntl-debuginfo-8.3.6-1.mga9
php8.3-zip-8.3.6-1.mga9
php8.3-xmlreader-debuginfo-8.3.6-1.mga9
php8.3-doc-8.3.6-1.mga9
php8.3-ldap-8.3.6-1.mga9
php8.3-pdo_pgsql-debuginfo-8.3.6-1.mga9
php8.3-zlib-debuginfo-8.3.6-1.mga9
php8.3-pdo_mysql-debuginfo-8.3.6-1.mga9
php8.3-pdo_firebird-debuginfo-8.3.6-1.mga9
php8.3-xsl-debuginfo-8.3.6-1.mga9
php8.3-gmp-8.3.6-1.mga9
php8.3-pdo_sqlite-debuginfo-8.3.6-1.mga9
php8.3-readline-debuginfo-8.3.6-1.mga9
php8.3-odbc-8.3.6-1.mga9
php8.3-xmlwriter-debuginfo-8.3.6-1.mga9
php8.3-exif-8.3.6-1.mga9
php8.3-ftp-8.3.6-1.mga9
php8.3-tokenizer-debuginfo-8.3.6-1.mga9
php8.3-pdo_dblib-debuginfo-8.3.6-1.mga9
php8.3-sqlite3-8.3.6-1.mga9
php8.3-dba-8.3.6-1.mga9
php8.3-tidy-8.3.6-1.mga9
php8.3-pdo_odbc-debuginfo-8.3.6-1.mga9
php8.3-snmp-8.3.6-1.mga9
php8.3-calendar-debuginfo-8.3.6-1.mga9
php8.3-filter-8.3.6-1.mga9
php8.3-zlib-8.3.6-1.mga9
php8.3-iconv-8.3.6-1.mga9
php8.3-pdo_pgsql-8.3.6-1.mga9
php8.3-enchant-debuginfo-8.3.6-1.mga9
php8.3-bz2-debuginfo-8.3.6-1.mga9
php8.3-posix-8.3.6-1.mga9
php8.3-xmlwriter-8.3.6-1.mga9
php8.3-bcmath-8.3.6-1.mga9
php8.3-pcntl-8.3.6-1.mga9
php8.3-pdo_firebird-8.3.6-1.mga9
php8.3-xmlreader-8.3.6-1.mga9
php8.3-sysvmsg-debuginfo-8.3.6-1.mga9
php8.3-ctype-debuginfo-8.3.6-1.mga9
php8.3-gettext-debuginfo-8.3.6-1.mga9
php8.3-pdo_sqlite-8.3.6-1.mga9
php8.3-pdo_dblib-8.3.6-1.mga9
php8.3-pdo_odbc-8.3.6-1.mga9
php8.3-readline-8.3.6-1.mga9
php8.3-tokenizer-8.3.6-1.mga9
php8.3-sysvshm-debuginfo-8.3.6-1.mga9
php8.3-pdo_mysql-8.3.6-1.mga9
php8.3-xsl-8.3.6-1.mga9
php8.3-calendar-8.3.6-1.mga9
php8.3-bz2-8.3.6-1.mga9
php8.3-enchant-8.3.6-1.mga9
php8.3-shmop-debuginfo-8.3.6-1.mga9
php8.3-sysvsem-debuginfo-8.3.6-1.mga9
php8.3-sysvmsg-8.3.6-1.mga9
php8.3-sysvshm-8.3.6-1.mga9
php8.3-gettext-8.3.6-1.mga9
php8.3-sysvsem-8.3.6-1.mga9
php8.3-shmop-8.3.6-1.mga9
php8.3-fpm-nginx-8.3.6-1.mga9
php8.3-ctype-8.3.6-1.mga9
php8.3-fpm-apache-8.3.6-1.mga9
php-latest-8.3.6-1.mga9

Source RPMs: 
php-8.3.6-1.mga9.src.rpm

Assignee: mageia => qa-bugs

PC LX 2024-04-11 23:55:30 CEST

CC: (none) => mageia

Comment 2 PC LX 2024-04-14 11:03:21 CEST 
Installed and tested for 3 days without issues.

Tested:
- with apache and php-fpm (my normal setup);
- with apache and mod_php;
- heimdall, wordpress, drupal, nextcloud, phpmyadmin, mediawiki, roundcubemail, rutorrent, etc;
- multiple websites and CLI scripts;
- xdebug with netbeans.

All OK. No regressions found.



System: Mageia 9, x86_64, Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz.



$ uname -a
Linux marte 6.6.22-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Sun Mar 17 18:04:51 UTC 2024 x86_64 GNU/Linux
$ rpm -qa | grep -E 'php(8.3|-pear)' | sort
php8.3-apcu-5.1.23-5.mga9
php8.3-apcu-admin-5.1.23-5.mga9
php8.3-bcmath-8.3.6-1.mga9
php8.3-bz2-8.3.6-1.mga9
php8.3-cli-8.3.6-1.mga9
php8.3-ctype-8.3.6-1.mga9
php8.3-curl-8.3.6-1.mga9
php8.3-dom-8.3.6-1.mga9
php8.3-exif-8.3.6-1.mga9
php8.3-fileinfo-8.3.6-1.mga9
php8.3-filter-8.3.6-1.mga9
php8.3-fpm-8.3.6-1.mga9
php8.3-fpm-apache-8.3.6-1.mga9
php8.3-gd-8.3.6-1.mga9
php8.3-gmp-8.3.6-1.mga9
php8.3-iconv-8.3.6-1.mga9
php8.3-imagick-3.7.0-10.mga9
php8.3-imap-8.3.6-1.mga9
php8.3-ini-8.3.6-1.mga9
php8.3-intl-8.3.6-1.mga9
php8.3-ldap-8.3.6-1.mga9
php8.3-mbstring-8.3.6-1.mga9
php8.3-mysqli-8.3.6-1.mga9
php8.3-mysqlnd-8.3.6-1.mga9
php8.3-opcache-8.3.6-1.mga9
php8.3-openssl-8.3.6-1.mga9
php8.3-pcntl-8.3.6-1.mga9
php8.3-pdo-8.3.6-1.mga9
php8.3-pdo_mysql-8.3.6-1.mga9
php8.3-pdo_sqlite-8.3.6-1.mga9
php8.3-pear-1.10.14-3.mga9
php8.3-phar-8.3.6-1.mga9
php8.3-posix-8.3.6-1.mga9
php8.3-session-8.3.6-1.mga9
php8.3-sockets-8.3.6-1.mga9
php8.3-sodium-8.3.6-1.mga9
php8.3-sqlite3-8.3.6-1.mga9
php8.3-sysvsem-8.3.6-1.mga9
php8.3-sysvshm-8.3.6-1.mga9
php8.3-tokenizer-8.3.6-1.mga9
php8.3-xdebug-3.3.1-2.mga9
php8.3-xmlreader-8.3.6-1.mga9
php8.3-xmlwriter-8.3.6-1.mga9
php8.3-zip-8.3.6-1.mga9
php8.3-zlib-8.3.6-1.mga9
php-pear-Auth_SASL-1.1.0-3.mga9
php-pear-Console_CommandLine-1.2.2-6.mga9
php-pear-Crypt_GPG-1.6.7-2.mga9
php-pear-Mail_Mime-1.10.9-2.mga9
php-pear-Net_LDAP2-2.2.0-5.mga9
php-pear-Net_Sieve-1.4.6-1.mga9
php-pear-Net_SMTP-1.10.1-2.mga9
php-pear-Net_Socket-1.2.2-4.mga9
Comment 3 PC LX 2024-04-16 09:37:21 CEST 
Giving the OK for x86_64 after 5 days of use without issues (comment 2). Please undo if appropriate.

Whiteboard: (none) => MGA9-64-OK

katnatek 2024-04-16 20:05:03 CEST

CC: (none) => andrewsfarm

Comment 4 Thomas Andrews 2024-04-17 00:27:07 CEST 
Validating

Keywords: (none) => validated_backport

katnatek 2024-04-17 04:27:30 CEST

CC: (none) => sysadmin-bugs

Comment 5 katnatek 2024-04-17 04:29:35 CEST 
(In reply to Thomas Andrews from comment #4)
> Validating

I wonder why when you validate a backport sysadmins are not added to CC automatically as when you do the same for regular updates?
Comment 6 Thomas Andrews 2024-04-17 15:16:09 CEST 
No idea. I never noticed the difference before.

Sounds like a question for the sysadmins.
Comment 7 Marc Krämer 2024-04-17 16:02:06 CEST 
I guess, because backports have been handled different. But I think as you installed the notofocations on backports, we should handle backports and updates the same way.
Comment 8 Dan Fandrich 2024-04-17 21:50:17 CEST 
The consensus in #32929 seems to be posting to backports-announce when new backports are available, rather than creating advisory files like regular bug/security fix updates. So, if we follow that route there the workflows for backports will be considerably different.

Since we don't have automatic tooling to send to backports-announce yet, or even consensus on #32929, does someone volunteer to send a message to backports-announce if I push this update?

CC: (none) => dan

Comment 9 katnatek 2024-04-18 02:53:37 CEST 
(In reply to Dan Fandrich from comment #8)
> The consensus in #32929 seems to be posting to backports-announce when new
> backports are available, rather than creating advisory files like regular
> bug/security fix updates. So, if we follow that route there the workflows
> for backports will be considerably different.
> 
> Since we don't have automatic tooling to send to backports-announce yet, or
> even consensus on #32929, does someone volunteer to send a message to
> backports-announce if I push this update?

Of course, I'll do as I already do to announce the availability of the packages for testing https://ml.mageia.org/l/arc/backports-announce/2024-04/msg00003.html
Comment 10 Dan Fandrich 2024-04-18 19:52:16 CEST 
php-8.3.6-1.mga9.src.rpm has been moved to core/backports.
Comment 11 katnatek 2024-04-18 21:12:34 CEST 
Announce sent

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.