Hi,

thanks for the poke.

Would it be also ok to do the php7.4 via bullseye-security or do you
want me specifically to do the stable-updates?

Ondrej
--
Ondřej Surý (He/Him)
ond...@sury.org

> On 7. 7. 2022, at 17:42, Moritz Mühlenhoff <j...@inutil.org> wrote:
> 
> Source: php8.1
> X-Debbugs-CC: t...@security.debian.org
> Severity: important
> Tags: security
> 
> Hi,
> 
> The following vulnerabilities were published for php8.1.
> 
> CVE-2022-31625[0]:
> | In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x
> | below 8.1.7, when using Postgres database extension, supplying invalid
> | parameters to the parametrized query may lead to PHP attempting to
> | free memory using uninitialized data as pointers. This could lead to
> | RCE vulnerability or denial of service.
> 
> https://bugs.php.net/bug.php?id=81720
> 
> CVE-2022-31626[1]:
> | In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x
> | below 8.1.7, when pdo_mysql extension with mysqlnd driver, if the
> | third party is allowed to supply host to connect to and the password
> | for the connection, password of excessive length can trigger a buffer
> | overflow in PHP, which can lead to a remote code execution
> | vulnerability.
> 
> https://bugs.php.net/bug.php?id=81719
> 
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2022-31625
>    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31625
> [1] https://security-tracker.debian.org/tracker/CVE-2022-31626
>    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31626
> 
> Please adjust the affected versions in the BTS as needed.
> 

Reply via email to