Debian Security Advisory
DLA-3345-1 php7.3 -- LTS security update
- Date Reported:
- 26 Feb 2023
- Affected Packages:
- php7.3
- Vulnerable:
- Yes
- Security database references:
- In the Debian bugtracking system: Bug 1031368.
In Mitre's CVE dictionary: CVE-2022-31631, CVE-2023-0567, CVE-2023-0568, CVE-2023-0662. - More information:
-
Multiple security issues were found in PHP, a widely-used open source general purpose scripting language, which could result in denial of service or incorrect validation of BCrypt hashes.
- CVE-2022-31631
Due to an uncaught integer overflow,
PDO::quote()
ofPDO_SQLite
may return an improperly quoted string. The exact details likely depend on the implementation ofsqlite3_snprintf()
, but with some versions it is possible to force the function to return a single apostrophe, if the function is called on user supplied input without any length restrictions in place. - CVE-2023-0567
Tim Düsterhus discovered that malformed BCrypt hashes that include a
$
character within their salt part trigger a buffer overread and may erroneously validate any password as valid. (Password_verify()
always returnstrue
with such inputs.) - CVE-2023-0568
1-byte array overrun when appending slash to paths during path resolution.
- CVE-2023-0662
Jakob Ackermann discovered a Denial of Service vulnerability when parsing multipart request body: the request body parsing in PHP allows any unauthenticated attacker to consume a large amount of CPU time and trigger excessive logging.
For Debian 10 buster, these problems have been fixed in version 7.3.31-1~deb10u3.
We recommend that you upgrade your php7.3 packages.
For the detailed security status of php7.3 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/php7.3
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
- CVE-2022-31631