• Icon: Story Story
    • Resolution: Done-Errata
    • Icon: Undefined Undefined
    • rhel-8.10.z
    • None
    • php-8.2-module
    • None
    • None
    • Rebase
    • rhel-sst-cs-stacks
    • ssg_core_services
    • 1
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None

      To address outstanding low/moderate CVE fixes for PHP 8.2, we will rebase the php:8.2 module stream to the latest PHP 8.1.x upstream release.

      • In 8.2.24
        • CVE-2024-8926 Bypass of CVE-2024-4577, Parameter Injection Vulnerability (Windows only)
        • CVE-2024-8927 cgi.force_redirect configuration is bypassable due to the environment variable collision
        • CVE-2024-9026 Logs from childrens may be altered
        • CVE-2024-8925 Erroneous parsing of multipart form data
      • In 8.2.20
        • CVE-2024-4577 Bypass of CVE-2012-1823, Argument Injection in PHP-CGI (Windows only)
        • CVE-2024-5458 Filter bypass in filter_var FILTER_VALIDATE_URL
        • CVE-2024-5585 Bypass of CVE-2024-1874 (Windows only)
      • In 8.2.18
        • CVE-2024-1874 Command injection via array-ish $command parameter of proc_open (Windows only)
        • CVE-2024-2756 {}Host-/{_}_Secure- cookie bypass due to partial CVE-2022-31629 fix
        • CVE-2024-3096 password_verify can erroneously return true, opening ATO risk

              rcollet@redhat.com Remi Collet
              rcollet@redhat.com Remi Collet
              Remi Collet Remi Collet
              Iveta Cesalova Iveta Cesalova
              Mugdha Soni Mugdha Soni
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: