Hi, thanks for the poke.
Would it be also ok to do the php7.4 via bullseye-security or do you want me specifically to do the stable-updates? Ondrej -- Ondřej Surý (He/Him) ond...@sury.org > On 7. 7. 2022, at 17:42, Moritz Mühlenhoff <j...@inutil.org> wrote: > > Source: php8.1 > X-Debbugs-CC: t...@security.debian.org > Severity: important > Tags: security > > Hi, > > The following vulnerabilities were published for php8.1. > > CVE-2022-31625[0]: > | In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x > | below 8.1.7, when using Postgres database extension, supplying invalid > | parameters to the parametrized query may lead to PHP attempting to > | free memory using uninitialized data as pointers. This could lead to > | RCE vulnerability or denial of service. > > https://bugs.php.net/bug.php?id=81720 > > CVE-2022-31626[1]: > | In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x > | below 8.1.7, when pdo_mysql extension with mysqlnd driver, if the > | third party is allowed to supply host to connect to and the password > | for the connection, password of excessive length can trigger a buffer > | overflow in PHP, which can lead to a remote code execution > | vulnerability. > > https://bugs.php.net/bug.php?id=81719 > > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2022-31625 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31625 > [1] https://security-tracker.debian.org/tracker/CVE-2022-31626 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31626 > > Please adjust the affected versions in the BTS as needed. >