-
Story
-
Resolution: Done-Errata
-
Undefined
-
None
-
php-8.2-9050020241112094217.9
-
None
-
Rebase
-
rhel-sst-cs-stacks
-
ssg_core_services
-
1
-
False
-
-
None
-
None
-
Pass
-
Enabled
-
Automated
-
None
To address outstanding low/moderate CVE fixes for PHP 8.2, we will rebase the php:8.2 module stream to the latest PHP 8.1.x upstream release.
- In 8.2.24
- CVE-2024-8926 Bypass of CVE-2024-4577, Parameter Injection Vulnerability (Windows only)
- CVE-2024-8927 cgi.force_redirect configuration is bypassable due to the environment variable collision
- CVE-2024-9026 Logs from childrens may be altered
- CVE-2024-8925 Erroneous parsing of multipart form data
- In 8.2.20
- CVE-2024-4577 Bypass of CVE-2012-1823, Argument Injection in PHP-CGI (Windows only)
- CVE-2024-5458 Filter bypass in filter_var FILTER_VALIDATE_URL
- CVE-2024-5585 Bypass of CVE-2024-1874 (Windows only)
- In 8.2.18
- CVE-2024-1874 Command injection via array-ish $command parameter of proc_open (Windows only)
- CVE-2024-2756 {}Host-/{_}_Secure- cookie bypass due to partial CVE-2022-31629 fix
- CVE-2024-3096 password_verify can erroneously return true, opening ATO risk
- links to
-
RHSA-2024:142872 php security and bugfix update