[SECURITY] [DLA 3345-1] php7.3 security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3345-1] php7.3 security update
From: Guilhem Moulin <guilhem@debian.org>
Date: Sun, 26 Feb 2023 23:00:18 +0100
Message-id: <Y/vWcgGwY7trjN8l@debian.org>
Mail-followup-to: debian-lts-announce@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-------------------------------------------------------------------------
Debian LTS Advisory DLA-3345-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                       Guilhem Moulin
February 26, 2023                             https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : php7.3
Version        : 7.3.31-1~deb10u3
CVE ID         : CVE-2022-31631 CVE-2023-0567 CVE-2023-0568 CVE-2023-0662
Debian Bug     : 1031368

Multiple security issues were found in PHP, a widely-used open source
general purpose scripting language, which could result in denial of
service or incorrect validation of BCrypt hashes.

CVE-2022-31631

    Due to an uncaught integer overflow, `PDO::quote()` of PDO_SQLite
    may return an improperly quoted string.  The exact details likely
    depend on the implementation of `sqlite3_snprintf()`, but with some
    versions it is possible to force the function to return a single
    apostrophe, if the function is called on user supplied input without
    any length restrictions in place.

CVE-2023-0567

    Tim Düsterhus discovered that malformed BCrypt hashes that include a
    `$` within their salt part trigger a buffer overread and may
    erroneously validate any password as valid.  (`Password_verify()`
    always return `true` with such inputs.)

CVE-2023-0568

    1-byte array overrun when appending slash to paths during path
    resolution.

CVE-2023-0662

    Jakob Ackermann discovered a Denial of Service vulnerability when
    parsing multipart request body: the request body parsing in PHP
    allows any unauthenticated attacker to consume a large amount of CPU
    time and trigger excessive logging.

For Debian 10 buster, these problems have been fixed in version
7.3.31-1~deb10u3.

We recommend that you upgrade your php7.3 packages.

For the detailed security status of php7.3 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php7.3

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: [SECURITY] [DLA 3344-1] nodejs security update
Next by Date: [SECURITY] [DLA 3331-2] python-cryptography security update
Previous by thread: [SECURITY] [DLA 3344-1] nodejs security update
Next by thread: [SECURITY] [DLA 3331-2] python-cryptography security update
Index(es):
- Date
- Thread