Headline
Ubuntu Security Notice USN-5818-1
Ubuntu Security Notice 5818-1 - It was discovered that PHP incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash or execute arbitrary code.
==========================================================================
Ubuntu Security Notice USN-5818-1
January 23, 2023
php7.2, php7.4, php8.1 vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
PHP could be made do crash or execute arbitrary code if it received
a specially crafted input.
Software Description:
- php8.1: HTML-embedded scripting language interpreter
- php7.4: HTML-embedded scripting language interpreter
- php7.2: HTML-embedded scripting language interpreter
Details:
It was discovered that PHP incorrectly handled certain inputs.
An attacker could possibly use this issue to cause a crash or
execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.10:
libapache2-mod-php7.4 8.1.7-1ubuntu3.2
libapache2-mod-php8.0 8.1.7-1ubuntu3.2
libapache2-mod-php8.1 8.1.7-1ubuntu3.2
php8.1 8.1.7-1ubuntu3.2
php8.1-cgi 8.1.7-1ubuntu3.2
php8.1-cli 8.1.7-1ubuntu3.2
php8.1-sqlite3 8.1.7-1ubuntu3.2
Ubuntu 22.04 LTS:
libapache2-mod-php7.4 8.1.2-1ubuntu2.10
libapache2-mod-php8.0 8.1.2-1ubuntu2.10
libapache2-mod-php8.1 8.1.2-1ubuntu2.10
php8.1 8.1.2-1ubuntu2.10
php8.1-cgi 8.1.2-1ubuntu2.10
php8.1-cli 8.1.2-1ubuntu2.10
php8.1-sqlite3 8.1.2-1ubuntu2.10
Ubuntu 20.04 LTS:
libapache2-mod-php7.4 7.4.3-4ubuntu2.17
php7.4 7.4.3-4ubuntu2.17
php7.4-cgi 7.4.3-4ubuntu2.17
php7.4-cli 7.4.3-4ubuntu2.17
php7.4-sqlite3 7.4.3-4ubuntu2.17
Ubuntu 18.04 LTS:
libapache2-mod-php7.2 7.2.24-0ubuntu0.18.04.16
php7.2 7.2.24-0ubuntu0.18.04.16
php7.2-cgi 7.2.24-0ubuntu0.18.04.16
php7.2-cli 7.2.24-0ubuntu0.18.04.16
php7.2-sqlite3 7.2.24-0ubuntu0.18.04.16
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5818-1
CVE-2022-31631
Package Information:
https://launchpad.net/ubuntu/+source/php8.1/8.1.7-1ubuntu3.2
https://launchpad.net/ubuntu/+source/php8.1/8.1.2-1ubuntu2.10
https://launchpad.net/ubuntu/+source/php7.4/7.4.3-4ubuntu2.17
https://launchpad.net/ubuntu/+source/php7.2/7.2.24-0ubuntu0.18.04.16
Related news
Gentoo Linux Security Advisory 202408-32 - Multiple vulnerabilities have been discovered in PHP, the worst of which can lead to a denial of service. Versions greater than or equal to 8.1.29:8.1 are affected.
Ubuntu Security Notice 5905-1 - It was discovered that PHP incorrectly handled certain gzip files. An attacker could possibly use this issue to cause a denial of service. It was discovered that PHP incorrectly handled certain cookies. An attacker could possibly use this issue to compromise data integrity. It was discovered that PHP incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash or execute arbitrary code.
An update for php is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-31628: A vulnerability was found in PHP due to an infinite loop within the phar uncompressor code when processing "quines" gzip files. This vulnerability allows a remote attacker to pass a specially crafted archive to the application, and consume all available system resources, causing a denial of service condition. * CVE-2022-31629: A vulnerability was fou...
Debian Linux Security Advisory 5363-1 - Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in denial of service or incorrect validation of BCrypt hashes.
Red Hat Security Advisory 2023-0848-01 - PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Issues addressed include buffer overflow and integer overflow vulnerabilities.
An update for the php:8.0 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-31628: A vulnerability was found in PHP due to an infinite loop within the phar uncompressor code when processing "quines" gzip files. This vulnerability allows a remote attacker to pass a specially crafted archive to the application, and consume all available system resources, causing a denial of service condition. * CVE-2022-31629: A vulner...