Bug 33278 - PHP new security issues CVE-2024-4577, CVE-2024-5458, CVE-2024-5585
Summary: PHP new security issues CVE-2024-4577, CVE-2024-5458, CVE-2024-5585
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: PHP Stack Maintainers
QA Contact: Sec team
URL:
Whiteboard: MGA9TOO
Keywords:
Depends on: 33358 33359
Blocks:
  Show dependency treegraph
 
Reported: 2024-06-10 10:05 CEST by Nicolas Salguero
Modified: 2024-07-11 09:58 CEST (History)
1 user (show)

See Also:
Source RPM: php-8.3.8-1.mga10.src.rpm
CVE: CVE-2024-4577, CVE-2024-5458, CVE-2024-5585
Status comment: Fixed upstream in 8.3.8, 8.2.20 and 8.1.29

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-06-10 10:05:08 CEST 
Those CVEs were announced here:
https://www.openwall.com/lists/oss-security/2024/06/07/1

Mageia 9 is also affected.
Nicolas Salguero 2024-06-10 10:06:06 CEST

CVE: (none) => CVE-2024-4577, CVE-2024-5458, CVE-2024-5585
Whiteboard: (none) => MGA9TOO
Source RPM: (none) => php-8.3.8-1.mga10.src.rpm
Status comment: (none) => Fixed upstream in 8.3.8, 8.2.20 and 8.1.29

Nicolas Salguero 2024-06-10 10:06:11 CEST

Severity: normal => critical

Comment 1 Lewis Smith 2024-06-10 20:23:53 CEST 
Assigning to PHP stack maintainers.

Assignee: bugsquad => php

Nicolas Salguero 2024-07-09 10:04:26 CEST

Depends on: (none) => 33358

Nicolas Salguero 2024-07-09 10:15:57 CEST

Depends on: (none) => 33359

Comment 2 Marc Krämer 2024-07-09 11:06:26 CEST 
CVE-2024-4577 is windows only, not affected: "...when using Apache and PHP-CGI on Windows..."
CVE-2024-5458: affected (moderate)
CVE-2024-5585: not affected: "...the user can supply arguments that would execute arbitrary commands in Windows shell..."

CC: (none) => mageia

Comment 3 Nicolas Salguero 2024-07-11 09:58:59 CEST 
Fixed by bug 33359 and bug 33358.

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.