Univention Bugzilla – Bug 55759
php7.3: Multiple issues (5.0)
Last modified: 2023-03-01 14:55:26 CET
New Debian php7.3 7.3.31-1~deb10u3 fixes: This update addresses the following issues: * PDO::quote() may return unquoted string due to an integer overflow (CVE-2022-31631) * Password_verify() always return true with some hash (CVE-2023-0567) * 1-byte array overrun in common path resolve code (CVE-2023-0568) * DoS vulnerability when parsing multipart request body (CVE-2023-0662)
--- mirror/ftp/pool/main/p/php7.3/php7.3_7.3.31-1~deb10u2.dsc +++ apt/ucs_5.0-0-errata5.0-3/source/php7.3_7.3.31-1~deb10u3.dsc @@ -1,3 +1,15 @@ +7.3.31-1~deb10u3 [Sun, 26 Feb 2023 14:00:55 +0100] Guilhem Moulin <guilhem@debian.org>: + + * Non-maintainer upload by the LTS Security Team. + * CVE-2022-31631: Uncaught integer overflow. + * CVE-2023-0567: Malformatted BCrypt hashes that include a `$` within their + salt part trigger a buffer overread and may erroneously validate any + password as valid (closes: #1031368). + * CVE-2023-0568: 1-byte array overrun in common path resolve code (closes: + #1031368). + * CVE-2023-0662: DoS vulnerability when parsing multipart request body + (closes: #1031368). + 7.3.31-1~deb10u2 [Thu, 15 Dec 2022 10:39:10 +0100] Emilio Pozuelo Monfort <pochu@debian.org>: * Non-maintainer upload by the LTS Team. <http://piuparts.knut.univention.de/5.0-3/#9052518499941454633>
OK: bug OK: yaml OK: announce_errata OK: patch OK: piuparts [5.0-3] 5ed4e7ab62 Bug #55759: php7.3 7.3.31-1~deb10u3 doc/errata/staging/php7.3.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) [5.0-3] b7bc00d9b9 Bug #55759: php7.3 7.3.31-1~deb10u3 doc/errata/staging/php7.3.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+)
<https://errata.software-univention.de/#/?erratum=5.0x598>