Source: php8.2 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerabilities were published for php8.2. I think the plan is to switch to 8.3 for trixie, so 8.2 will probably be removed at some point, but still filing a bug to keep track of these issues in the interim: CVE-2024-11233[0]: | In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* | before 8.3.14, due to an error in convert.quoted-printable-decode | filter certain data can lead to buffer overread by one byte, which | can in certain circumstances lead to crashes or disclose content of | other memory areas. CVE-2024-11234[1]: | In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* | before 8.3.14, when using streams with configured proxy and | "request_fulluri" option, the URI is not properly sanitized which | can lead to HTTP request smuggling and allow the attacker to use the | proxy to perform arbitrary HTTP requests originating from the | server, thus potentially gaining access to resources not normally | available to the external user. CVE-2024-11236[2]: | In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* | before 8.3.14, uncontrolled long string inputs to | ldap_escape() function on 32-bit systems can cause an integer | overflow, resulting in an out-of-bounds write. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-11233 https://www.cve.org/CVERecord?id=CVE-2024-11233 [1] https://security-tracker.debian.org/tracker/CVE-2024-11234 https://www.cve.org/CVERecord?id=CVE-2024-11234 [2] https://security-tracker.debian.org/tracker/CVE-2024-11236 https://www.cve.org/CVERecord?id=CVE-2024-11236 Please adjust the affected versions in the BTS as needed.
