Wednesday, January 29, 2025

[USN-7157-3] PHP vulnerabilities

-----BEGIN PGP PUBLIC KEY BLOCK-----

xsBNBGao8McBCAD/mTHpWpp0rMyhX+xQYmuj1DoCiadFZysyAyKIFXODXRSOAQ58
YTf6BEuhPtEamZq+aJEGOTBJmUZxvGMv0Fo5yBN+OGoMA2CJQwxWQCZCptfivOCI
D5p2eANebDVXpZHHgpNwCyFVZR/UfSLMqX/y2wEi1AC4CKc3ihFBWdMJVdDk6zz0
4g/x4w76CZczUpe17QWD1XuAWUxmaVGM/TiKjktq3Lp6yZrb0QSYjCovXAGwfBmz
beludDi+EMDmh76PeKWfqQ38QSPEvN+Lv6OTjPWDfilfuOPpDZA2gsjNj3TaBllL
k9YW98OrqsbegQ0BhPgoPYQ3S15ikv53M8o/ABEBAAHNKUp1bGlhIFNhcnJpcyA8
anVsaWEuc2FycmlzQGNhbm9uaWNhbC5jb20+wsCRBBMBCgA7FiEEOMd9M4Vpc6WH
Yvv+QB78vNoP8b0FAmao8McCGwMFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AA
CgkQQB78vNoP8b3fXQf6Awx8Nd5FkMMGdrWqBjIPZv1Ogkka2+PiIqwqcIeQGvam
V/bpIKOCb4QOS4kgQ+hNS1mmK+T/aWXRCYhiBIPAOIbo7jcMGxNz7V3+43RxlNVl
zt3feYM/QAJmgK8bjdCzI5ZQHiyX8pgOieCylRrcjroQHa9CxHej4aJGCaPGLFGo
81lYWJm21NP4LJTLk03ncJT8Ss64R28cOWUHujysxftAPHVYpPLdlwuJ3lgC8M5n
eq0qwsv22j62ldd/J7u2psRSczaU1ve/TfX71ZCyZZiw2Tm5HvaskD+CilXOaL2H
+KediuEtkQk5KKQikg2XtjbqCYyIxQT50v1TIu86ss7ATQRmqPDHAQgA5zGDufJq
9MhhDPJqM3Qz4kQXLKDXz2l5EovU5olrYerGmskpUBUSwfgAeBu9gMP5Y24spir3
eMm6O7m8EJsihMPCw4Iblzi9YZZX1TY3wegRXFIiaqW5kELnjhVnRpS9WQi9FDd9
gGPp7X3iQ8/B6+nyHitqhcj2A+Vpk5HaguY8zl3yEOwFnud5TEbSb/xYz7DhX5uv
B/FZ9rgn+j2N0hC/RVN1MpSRHZEbOCfpaYr/teiQexOWBlVVnZgCkHb9F0NiNImv
dXVZ18jY5wfgxemfgm8l4nDUlSMUIMiwGYekPMEuYvoDNPwfzzlYHKrVoqp54KMd
JALMUar1bVZtxQARAQABwsB2BBgBCgAgFiEEOMd9M4Vpc6WHYvv+QB78vNoP8b0F
Amao8McCGwwACgkQQB78vNoP8b10+ggA8nW+R2g9BDvkpurM0lwpaCtgKbaENIGg
lpxNXEEUEW7AaR4Mme+4PA/SdpWrFzVa0OGhqtZxkovUZXpgiLlx5/eR1Bl+TUuO
rjZkjGBy3r2Ce1JLwKilSZk7Bk45L7QDxA+NOLSFS7ADqzv37J2jhpfczqrYdpSj
kHgUvkapbuB0ONpQ/mhH9UDquY3eMGv3GSrvggVS0mKjR6bMl1plBWcfJ+Y//xQc
6S1bBdjbmwKMZjYbvhTpPbVeUOUdOg/0mYC/3rjSO+2OEn1Q+YIdfGqbLpDAbruG
m7XHtUOXesWorhDMzQGRpj7R+ed/9uJs0Nvg5FqAKTrzh+90ngEGuA==
=Qkbp
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----

wsB5BAABCAAjFiEEOMd9M4Vpc6WHYvv+QB78vNoP8b0FAmeaXq4FAwAAAAAACgkQQB78vNoP8b0Q
aQgA4HOa0elQzgOriQg1jvai88hsRSMkGb34/xujVxSGhV1QRBBu++6Xkl1NbewTRpKndZ6K/t88
jnyz3XHYOI0UehJEMB59bhsvRa8H9KR1VBVKKAbIwOrjp9W9VXvLn0UigKuIqEK5yWCXT0vloluX
d5+UxubqfipVFz4qaGY5KrJypTVNvlaNCjGuMTl7TdUA16C2T3pOsnMaeGdy7eietvEnFqu4jnK+
vWqRqy/s75BMVju3QRftlVFfTMHx1EaYyepZWHvJiaw3iWfu40HqFo2lyJCoHvYZUFCCUieCKrRE
d7EUzQhmMEDTBmiuSIX1cMW3hjFbwDaRqrDoZy+42Q==
=oGz4
-----END PGP SIGNATURE-----

==========================================================================

Ubuntu Security Notice USN-7157-3
January 29, 2025

php7.0 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in PHP.

Software Description:
- php7.0: HTML-embedded scripting language interpreter

Details:

USN-7157-1 fixed vulnerabilities in PHP versions 7.4, 8.1, and 8.3.
This update provides the corresponding updates for PHP version 7.0.

Original advisory details:

 It was discovered that PHP incorrectly handled certain inputs when
 processed with convert.quoted-printable decode filters.
 An attacker could possibly use this issue to expose sensitive
 information or cause a crash. (CVE-2024-11233)

 It was discovered that PHP incorrectly handled certain HTTP requests.
 An attacker could possibly use this issue to performing arbitrary
 HTTP requests originating from the server, thus potentially
 gaining access to resources not normally available to the external
 user. (CVE-2024-11234)

 It was discovered that PHP incorrectly handled certain inputs.
 An attacker could possibly use this issue to cause a crash or
 execute arbitrary code. (CVE-2024-8932)

 It was discovered that PHP incorrectly handled certain MySQL requests.
 An attacker could possibly use this issue to cause the client to
 disclose the content of its heap containing data from other SQL requests
 and possible other data belonging to different users of the same server.
 (CVE-2024-8929)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS
  libapache2-mod-php7.0           7.0.33-0ubuntu0.16.04.16+esm14
                                  Available with Ubuntu Pro
  php7.0                          7.0.33-0ubuntu0.16.04.16+esm14
                                  Available with Ubuntu Pro
  php7.0-cgi                      7.0.33-0ubuntu0.16.04.16+esm14
                                  Available with Ubuntu Pro
  php7.0-cli                      7.0.33-0ubuntu0.16.04.16+esm14
                                  Available with Ubuntu Pro
  php7.0-ldap                     7.0.33-0ubuntu0.16.04.16+esm14
                                  Available with Ubuntu Pro
  php7.0-mysql                    7.0.33-0ubuntu0.16.04.16+esm14
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7157-3
  https://ubuntu.com/security/notices/USN-7157-2
  https://ubuntu.com/security/notices/USN-7157-1
  CVE-2024-11233, CVE-2024-11234, CVE-2024-8929, CVE-2024-8932

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)