Bug 57824 - php7.3: Multiple issues (5.0)
Summary: php7.3: Multiple issues (5.0)
Status: CLOSED FIXED
Alias: None
Product: UCS
Classification: Unclassified
Component: Security updates
Version: UCS 5.0
Hardware: All Linux
: P3 normal
Target Milestone: UCS 5.0-9-errata
Assignee: Quality Assurance
QA Contact: Arvid Requate
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-01-07 11:14 CET by Quality Assurance
Modified: 2025-01-08 15:00 CET (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Customer ID:
Max CVSS v3 score: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2025-01-07 11:14:07 CET 
New Debian php7.3 7.3.31-1~deb10u9 fixes:
This update addresses the following issues:

Debian update 7.3.31-1~deb10u9
7.3.31-1~deb10u9 (Sun, 08 Dec 2024 14:41:40 +0100)
* Non-maintainer upload by the ELTS Team.
* Fix CVE-2024-8929: Partial content leak of the heap through heap buffer  over-read in mysqlnd.
* Fix CVE-2024-8932: Out-of-bound write in ldap_escape().
* Fix CVE-2024-11233: Single byte overread with  convert.quoted-printable-decode filter.
* Fix CVE-2024-11234: Configuring a proxy in a stream context might allow for  CRLF injection in URIs.
* Fix CVE-2024-11236: Out-of-bound writes in in the firebird and dblib  quoters due integer overflow.
* Fix GHSA-4w77-75f9-2c8w: Heap-Use-After-Free in sapi_read_post_data()  Processing in CLI SAPI Interface.
Comment 1 Quality Assurance univentionstaff 2025-01-07 12:00:13 CET 
--- mirror/ftp/pool/main/p/php7.3/php7.3_7.3.31-1~deb10u8.dsc
+++ apt/ucs_5.0-0-errata5.0-9/source/php7.3_7.3.31-1~deb10u9.dsc
@@ -1,3 +1,18 @@
+7.3.31-1~deb10u9 [Sun, 08 Dec 2024 14:41:40 +0100] Guilhem Moulin <guilhem@debian.org>:
+
+  * Non-maintainer upload by the ELTS Team.
+  * Fix CVE-2024-8929: Partial content leak of the heap through heap buffer
+    over-read in mysqlnd. (Closes: #1088688)
+  * Fix CVE-2024-8932: Out-of-bound write in ldap_escape(). (Closes: #1088688)
+  * Fix CVE-2024-11233: Single byte overread with
+    convert.quoted-printable-decode filter. (Closes: #1088688)
+  * Fix CVE-2024-11234: Configuring a proxy in a stream context might allow
+    for CRLF injection in URIs. (Closes: #1088688)
+  * Fix CVE-2024-11236: Out-of-bound writes in in the firebird and dblib
+    quoters due integer overflow. (Closes: #1088688)
+  * Fix GHSA-4w77-75f9-2c8w: Heap-Use-After-Free in sapi_read_post_data()
+    Processing in CLI SAPI Interface.
+
 7.3.31-1~deb10u8 [Tue, 15 Oct 2024 18:27:23 +0200] Guilhem Moulin <guilhem@debian.org>:
 
   * Non-maintainer upload by the ELTS Team.

<http://piuparts.knut.univention.de/5.0-9/#6832068596978535783>
Comment 2 Arvid Requate univentionstaff 2025-01-08 12:47:10 CET 
OK: bug
OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[5.0-9] d092865e7d Bug #57824: php7.3 7.3.31-1~deb10u9
 doc/errata/staging/php7.3.yaml | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)