33623 – PHP: new version 8.2.24

Bug 33623 - PHP: new version 8.2.24

Summary: PHP: new version 8.2.24

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK,MGA9-32-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2024-10-08 15:51 CEST by Marc Krämer
Modified:	2024-10-11 03:00 CEST (History)
CC List:	2 users (show)

See Also:
Source RPM:	php
CVE:	CVE-2024-8927, CVE-2024-9026
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Marc Krämer 2024-10-08 15:51:29 CEST

https://www.php.net/ChangeLog-8.php#8.2.24

Marc Krämer 2024-10-08 15:52:07 CEST

CVE: (none) => CVE-2024-8926, CVE-2024-8927

Comment 1 Marc Krämer 2024-10-08 16:02:47 CEST Comment hidden (obsolete)

Updated php package:
This update [1] fixes some security vulnerabilities:
- HTTP_REDIRECT_STATUS might be controlled via user request [2].
- FPM log output might be modified by an attacker [3]
- HTTP POST can be modified by an attacker [4]

For other bug fixes consult [1]

References:
[1] https://www.php.net/ChangeLog-8.php#8.2.24
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8927
[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9026
[4] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8925

========================

Updated packages in core/updates_testing:
========================
php8.3-intl-8.3.12-1.mga9
php8.3-openssl-debuginfo-8.3.12-1.mga9
php8.3-dom-debuginfo-8.3.12-1.mga9
php8.3-phar-debuginfo-8.3.12-1.mga9
php8.3-opcache-8.3.12-1.mga9
php8.3-mbstring-8.3.12-1.mga9
php8.3-mysqli-debuginfo-8.3.12-1.mga9
php8.3-mysqlnd-debuginfo-8.3.12-1.mga9
php-debuginfo-8.3.12-1.mga9
php8.3-curl-debuginfo-8.3.12-1.mga9
php8.3-soap-8.3.12-1.mga9
php8.3-pgsql-debuginfo-8.3.12-1.mga9
php8.3-soap-debuginfo-8.3.12-1.mga9
php8.3-fileinfo-debuginfo-8.3.12-1.mga9
php8.3-pdo-debuginfo-8.3.12-1.mga9
php8.3-phar-8.3.12-1.mga9
php8.3-mbstring-debuginfo-8.3.12-1.mga9
php8.3-session-debuginfo-8.3.12-1.mga9
php8.3-intl-debuginfo-8.3.12-1.mga9
php8.3-sockets-debuginfo-8.3.12-1.mga9
php8.3-mysqlnd-8.3.12-1.mga9
php8.3-sodium-debuginfo-8.3.12-1.mga9
php8.3-zip-debuginfo-8.3.12-1.mga9
php8.3-gd-debuginfo-8.3.12-1.mga9
php8.3-ini-8.3.12-1.mga9
php8.3-dom-8.3.12-1.mga9
php8.3-ldap-debuginfo-8.3.12-1.mga9
php8.3-imap-debuginfo-8.3.12-1.mga9
php8.3-dba-debuginfo-8.3.12-1.mga9
php8.3-openssl-8.3.12-1.mga9
php8.3-gmp-debuginfo-8.3.12-1.mga9
php8.3-snmp-debuginfo-8.3.12-1.mga9
php8.3-exif-debuginfo-8.3.12-1.mga9
php8.3-sqlite3-debuginfo-8.3.12-1.mga9
php8.3-mysqli-8.3.12-1.mga9
php8.3-pgsql-8.3.12-1.mga9
php8.3-tidy-debuginfo-8.3.12-1.mga9
php8.3-ftp-debuginfo-8.3.12-1.mga9
php8.3-odbc-debuginfo-8.3.12-1.mga9
php8.3-pdo-8.3.12-1.mga9
php8.3-bcmath-debuginfo-8.3.12-1.mga9
php8.3-curl-8.3.12-1.mga9
php8.3-filter-debuginfo-8.3.12-1.mga9
php8.3-iconv-debuginfo-8.3.12-1.mga9
php8.3-session-8.3.12-1.mga9
php8.3-posix-debuginfo-8.3.12-1.mga9
php8.3-pcntl-debuginfo-8.3.12-1.mga9
php8.3-gd-8.3.12-1.mga9
php8.3-xmlreader-debuginfo-8.3.12-1.mga9
php8.3-sodium-8.3.12-1.mga9
php8.3-doc-8.3.12-1.mga9
php8.3-pdo_pgsql-debuginfo-8.3.12-1.mga9
php8.3-sockets-8.3.12-1.mga9
php8.3-zlib-debuginfo-8.3.12-1.mga9
php8.3-zip-8.3.12-1.mga9
php8.3-imap-8.3.12-1.mga9
php8.3-ldap-8.3.12-1.mga9
php8.3-exif-8.3.12-1.mga9
php8.3-pdo_firebird-debuginfo-8.3.12-1.mga9
php8.3-pdo_mysql-debuginfo-8.3.12-1.mga9
php8.3-xsl-debuginfo-8.3.12-1.mga9
php8.3-opcache-debuginfo-8.3.12-1.mga9
php8.3-tokenizer-debuginfo-8.3.12-1.mga9
php8.3-odbc-8.3.12-1.mga9
php8.3-pdo_dblib-debuginfo-8.3.12-1.mga9
php8.3-pdo_sqlite-debuginfo-8.3.12-1.mga9
php8.3-gmp-8.3.12-1.mga9
php8.3-readline-debuginfo-8.3.12-1.mga9
php8.3-sqlite3-8.3.12-1.mga9
php8.3-ftp-8.3.12-1.mga9
php8.3-xmlwriter-debuginfo-8.3.12-1.mga9
php8.3-dba-8.3.12-1.mga9
php8.3-calendar-debuginfo-8.3.12-1.mga9
php8.3-bz2-debuginfo-8.3.12-1.mga9
php8.3-enchant-debuginfo-8.3.12-1.mga9
php8.3-zlib-8.3.12-1.mga9
php8.3-iconv-8.3.12-1.mga9
php8.3-filter-8.3.12-1.mga9
php8.3-tidy-8.3.12-1.mga9
php8.3-pdo_odbc-debuginfo-8.3.12-1.mga9
php8.3-xmlwriter-8.3.12-1.mga9
php8.3-snmp-8.3.12-1.mga9
php8.3-pdo_pgsql-8.3.12-1.mga9
php8.3-pcntl-8.3.12-1.mga9
php8.3-pdo_sqlite-8.3.12-1.mga9
php8.3-pdo_firebird-8.3.12-1.mga9
php8.3-bcmath-8.3.12-1.mga9
php8.3-xmlreader-8.3.12-1.mga9
php8.3-sysvmsg-debuginfo-8.3.12-1.mga9
php8.3-gettext-debuginfo-8.3.12-1.mga9
php8.3-ctype-debuginfo-8.3.12-1.mga9
php8.3-posix-8.3.12-1.mga9
php8.3-readline-8.3.12-1.mga9
php8.3-calendar-8.3.12-1.mga9
php8.3-xsl-8.3.12-1.mga9
php8.3-sysvshm-debuginfo-8.3.12-1.mga9
php8.3-tokenizer-8.3.12-1.mga9
php8.3-pdo_dblib-8.3.12-1.mga9
php8.3-shmop-debuginfo-8.3.12-1.mga9
php8.3-sysvsem-debuginfo-8.3.12-1.mga9
php8.3-pdo_odbc-8.3.12-1.mga9
php8.3-sysvshm-8.3.12-1.mga9
php8.3-pdo_mysql-8.3.12-1.mga9
php8.3-bz2-8.3.12-1.mga9
php8.3-enchant-8.3.12-1.mga9
php8.3-gettext-8.3.12-1.mga9
php-latest-8.3.12-1.mga9
php8.3-fpm-nginx-8.3.12-1.mga9
php8.3-sysvsem-8.3.12-1.mga9
php8.3-fpm-apache-8.3.12-1.mga9
php8.3-shmop-8.3.12-1.mga9
php8.3-ctype-8.3.12-1.mga9
php8.3-sysvmsg-8.3.12-1.mga9
php8.3-cli-8.3.12-1.mga9
phpdbg8.3-8.3.12-1.mga9
php8.3-cgi-8.3.12-1.mga9
php8.3-fpm-8.3.12-1.mga9
apache-mod_php8.3-8.3.12-1.mga9
php8.3-fileinfo-8.3.12-1.mga9
php8.3-fpm-debuginfo-8.3.12-1.mga9
php8.3-cli-debuginfo-8.3.12-1.mga9
php8.3-cgi-debuginfo-8.3.12-1.mga9
phpdbg8.3-debuginfo-8.3.12-1.mga9
apache-mod_php8.3-debuginfo-8.3.12-1.mga9
php-debugsource-8.3.12-1.mga9
php8.3-devel-8.3.12-1.mga9

SRPM:
php-8.3.12-1.mga9.src.rpm

CVE: CVE-2024-8926, CVE-2024-8927 => CVE-2024-8927, CVE-2024-9026
Assignee: mageia => qa-bugs

Comment 2 Marc Krämer 2024-10-08 16:07:43 CEST

sorry wrong file list; atm https://pkgsubmit.mageia.org is down.

Comment 3 Marc Krämer 2024-10-09 14:33:25 CEST

SRPM:
php-8.2.24-1.mga9.src.rpm

files in core/updates_testing:
php-cli-8.2.24-1.mga9
php-cgi-8.2.24-1.mga9
phpdbg-8.2.24-1.mga9
php-fpm-8.2.24-1.mga9
php-debuginfo-8.2.24-1.mga9
php-intl-debuginfo-8.2.24-1.mga9
php-soap-debuginfo-8.2.24-1.mga9
php-opcache-debuginfo-8.2.24-1.mga9
php-mbstring-8.2.24-1.mga9
php-mbstring-debuginfo-8.2.24-1.mga9
php-phar-debuginfo-8.2.24-1.mga9
php-dom-debuginfo-8.2.24-1.mga9
php-opcache-8.2.24-1.mga9
apache-mod_php-8.2.24-1.mga9
php-openssl-debuginfo-8.2.24-1.mga9
php-mysqlnd-debuginfo-8.2.24-1.mga9
php-intl-8.2.24-1.mga9
php-mysqli-debuginfo-8.2.24-1.mga9
php-pdo-debuginfo-8.2.24-1.mga9
php-pgsql-debuginfo-8.2.24-1.mga9
php-curl-debuginfo-8.2.24-1.mga9
php-soap-8.2.24-1.mga9
php-phar-8.2.24-1.mga9
php-fileinfo-debuginfo-8.2.24-1.mga9
php-sockets-debuginfo-8.2.24-1.mga9
php-session-debuginfo-8.2.24-1.mga9
php-ini-8.2.24-1.mga9
php-fileinfo-8.2.24-1.mga9
php-mysqlnd-8.2.24-1.mga9
php-zip-debuginfo-8.2.24-1.mga9
php-sodium-debuginfo-8.2.24-1.mga9
php-imap-debuginfo-8.2.24-1.mga9
php-gd-debuginfo-8.2.24-1.mga9
php-dba-debuginfo-8.2.24-1.mga9
php-ldap-debuginfo-8.2.24-1.mga9
php-openssl-8.2.24-1.mga9
php-dom-8.2.24-1.mga9
php-gmp-debuginfo-8.2.24-1.mga9
php-snmp-debuginfo-8.2.24-1.mga9
php-mysqli-8.2.24-1.mga9
php-sqlite3-debuginfo-8.2.24-1.mga9
php-exif-debuginfo-8.2.24-1.mga9
php-tidy-debuginfo-8.2.24-1.mga9
php-doc-8.2.24-1.mga9.noarch
php-pgsql-8.2.24-1.mga9
php-ftp-debuginfo-8.2.24-1.mga9
php-odbc-debuginfo-8.2.24-1.mga9
php-pdo-8.2.24-1.mga9
php-filter-debuginfo-8.2.24-1.mga9
php-bcmath-debuginfo-8.2.24-1.mga9
php-session-8.2.24-1.mga9
php-curl-8.2.24-1.mga9
php-pcntl-debuginfo-8.2.24-1.mga9
php-gd-8.2.24-1.mga9
php-iconv-debuginfo-8.2.24-1.mga9
php-xmlreader-debuginfo-8.2.24-1.mga9
php-posix-debuginfo-8.2.24-1.mga9
php-pdo_pgsql-debuginfo-8.2.24-1.mga9
php-sodium-8.2.24-1.mga9
php-imap-8.2.24-1.mga9
php-sockets-8.2.24-1.mga9
php-zlib-debuginfo-8.2.24-1.mga9
php-pdo_mysql-debuginfo-8.2.24-1.mga9
php-zip-8.2.24-1.mga9
php-ldap-8.2.24-1.mga9
php-pdo_firebird-debuginfo-8.2.24-1.mga9
php-exif-8.2.24-1.mga9
php-pdo_sqlite-debuginfo-8.2.24-1.mga9
php-readline-debuginfo-8.2.24-1.mga9
php-xsl-debuginfo-8.2.24-1.mga9
php-xmlwriter-debuginfo-8.2.24-1.mga9
php-gmp-8.2.24-1.mga9
php-tokenizer-debuginfo-8.2.24-1.mga9
php-odbc-8.2.24-1.mga9
php-ftp-8.2.24-1.mga9
php-pdo_dblib-debuginfo-8.2.24-1.mga9
php-sqlite3-8.2.24-1.mga9
php-pdo_odbc-debuginfo-8.2.24-1.mga9
php-calendar-debuginfo-8.2.24-1.mga9
php-dba-8.2.24-1.mga9
php-snmp-8.2.24-1.mga9
php-bz2-debuginfo-8.2.24-1.mga9
php-tidy-8.2.24-1.mga9
apache-mod_php-debuginfo-8.2.24-1.mga9
php-zlib-8.2.24-1.mga9
php-iconv-8.2.24-1.mga9
php-filter-8.2.24-1.mga9
php-enchant-debuginfo-8.2.24-1.mga9
php-pdo_pgsql-8.2.24-1.mga9
php-posix-8.2.24-1.mga9
php-pcntl-8.2.24-1.mga9
php-xmlwriter-8.2.24-1.mga9
php-xmlreader-8.2.24-1.mga9
php-cli-debuginfo-8.2.24-1.mga9
php-pdo_firebird-8.2.24-1.mga9
php-ctype-debuginfo-8.2.24-1.mga9
php-pdo_sqlite-8.2.24-1.mga9
php-gettext-debuginfo-8.2.24-1.mga9
php-sysvmsg-debuginfo-8.2.24-1.mga9
php-readline-8.2.24-1.mga9
php-bcmath-8.2.24-1.mga9
php-calendar-8.2.24-1.mga9
php-pdo_odbc-8.2.24-1.mga9
php-xsl-8.2.24-1.mga9
php-pdo_dblib-8.2.24-1.mga9
php-sysvshm-debuginfo-8.2.24-1.mga9
php-tokenizer-8.2.24-1.mga9
php-pdo_mysql-8.2.24-1.mga9
php-bz2-8.2.24-1.mga9
php-sysvsem-debuginfo-8.2.24-1.mga9
php-sysvshm-8.2.24-1.mga9
php-enchant-8.2.24-1.mga9
php-shmop-8.2.24-1.mga9
php-sysvmsg-8.2.24-1.mga9
php-shmop-debuginfo-8.2.24-1.mga9
php-gettext-8.2.24-1.mga9
php-fpm-nginx-8.2.24-1.mga9
php-sysvsem-8.2.24-1.mga9
php-ctype-8.2.24-1.mga9
php-fpm-apache-8.2.24-1.mga9
php-cgi-debuginfo-8.2.24-1.mga9
php-fpm-debuginfo-8.2.24-1.mga9
phpdbg-debuginfo-8.2.24-1.mga9
php-debugsource-8.2.24-1.mga9
php-devel-8.2.24-1.mga9

Comment 4 katnatek 2024-10-09 18:53:53 CEST

RH x86_64

I advance in the downtime and update the packages in my system

rpm -qa|grep 8.2.24
php-sysvsem-8.2.24-1.mga9
php-openssl-8.2.24-1.mga9
php-zlib-8.2.24-1.mga9
php-fpm-apache-8.2.24-1.mga9
php-fpm-8.2.24-1.mga9
php-session-8.2.24-1.mga9
php-sysvshm-8.2.24-1.mga9
php-ini-8.2.24-1.mga9
php-cli-8.2.24-1.mga9

systemctl status php-fpm.service 
● php-fpm.service - The PHP FastCGI Process Manager
     Loaded: loaded (/usr/lib/systemd/system/php-fpm.service; enabled; preset: disabled)
     Active: active (running) since Wed 2024-10-09 10:34:37 CST; 17min ago
   Main PID: 1849 (php-fpm)
     Status: "Processes active: 0, idle: 20, Requests: 1, slow: 0, Traffic: 0.00req/sec"
      Tasks: 21 (limit: 6880)
     Memory: 15.0M
        CPU: 97ms
     CGroup: /system.slice/php-fpm.service
             ├─1849 "php-fpm: master process (/etc/php-fpm.conf)"
             ├─2361 "php-fpm: pool www"
             ├─2362 "php-fpm: pool www"
             ├─2363 "php-fpm: pool www"
             ├─2364 "php-fpm: pool www"
             ├─2365 "php-fpm: pool www"
             ├─2366 "php-fpm: pool www"
             ├─2367 "php-fpm: pool www"
             ├─2368 "php-fpm: pool www"
             ├─2369 "php-fpm: pool www"
             ├─2370 "php-fpm: pool www"
             ├─2371 "php-fpm: pool www"
             ├─2372 "php-fpm: pool www"
             ├─2373 "php-fpm: pool www"
             ├─2374 "php-fpm: pool www"
             ├─2375 "php-fpm: pool www"
             ├─2376 "php-fpm: pool www"
             ├─2377 "php-fpm: pool www"
             ├─2378 "php-fpm: pool www"
             ├─2379 "php-fpm: pool www"
             └─2380 "php-fpm: pool www"

oct 09 10:34:11 jgrey.phoenix systemd[1]: Starting php-fpm.service...
oct 09 10:34:37 jgrey.phoenix systemd[1]: Started php-fpm.service.

php pages works
php script works

katnatek 2024-10-09 20:28:44 CEST

Keywords: (none) => advisory

Comment 5 katnatek 2024-10-10 02:17:27 CEST

RH i586

 LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (32-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "BDK-Free-i586" is up-to-date
medium "BDK-Free-noarch" is up-to-date
medium "BDK-NonFree-i586" is up-to-date


installing php-sysvsem-8.2.24-1.mga9.i586.rpm php-cli-8.2.24-1.mga9.i586.rpm php-ini-8.2.24-1.mga9.i586.rpm php-openssl-8.2.24-1.mga9.i586.rpm php-zlib-8.2.24-1.mga9.i586.rpm php-sysvshm-8.2.24-1.mga9.i586.rpm from //home/katnatek/qa-testing/i586
Preparing...                     #######################################################################################
      1/6: php-cli               #######################################################################################
      2/6: php-openssl           #######################################################################################
      3/6: php-zlib              #######################################################################################
      4/6: php-sysvshm           #######################################################################################
      5/6: php-ini               #######################################################################################
      6/6: php-sysvsem           #######################################################################################
      1/6: removing php-cli-3:8.2.23-1.mga9.i586
                                 #######################################################################################
      2/6: removing php-ini-3:8.2.23-1.mga9.i586
                                 #######################################################################################
      3/6: removing php-sysvsem-3:8.2.23-1.mga9.i586
                                 #######################################################################################
      4/6: removing php-openssl-3:8.2.23-1.mga9.i586
                                 #######################################################################################
      5/6: removing php-sysvshm-3:8.2.23-1.mga9.i586
                                 #######################################################################################
      6/6: removing php-zlib-3:8.2.23-1.mga9.i586
                                 #######################################################################################

php script works

Comment 6 katnatek 2024-10-10 02:20:44 CEST

As my test was considered good enough in previous rounds I set the OKs

Whiteboard: (none) => MGA9-64-OK,MGA9-32-OK
CC: (none) => andrewsfarm

Comment 7 Thomas Andrews 2024-10-11 01:32:52 CEST

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2024-10-11 03:00:19 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0328.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.