From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id B94951581F0 for ; Thu, 23 Jan 2025 07:38:18 +0000 (UTC) Received: from lists.gentoo.org (bobolink.gentoo.org [140.211.166.189]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) (Authenticated sender: relay-lists.gentoo.org@gentoo.org) by smtp.gentoo.org (Postfix) with ESMTPSA id E8EF6344709 for ; Thu, 23 Jan 2025 07:33:53 +0000 (UTC) Received: from bobolink.gentoo.org (localhost [127.0.0.1]) by bobolink.gentoo.org (Postfix) with ESMTP id 3748F110486; Thu, 23 Jan 2025 07:26:54 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by bobolink.gentoo.org (Postfix) with ESMTPS id 56CCD11042D for ; Thu, 23 Jan 2025 07:26:40 +0000 (UTC) Received: from glsamakerdev.dev.gentoo.org (glsamakerdev.dev.gentoo.org [140.211.166.178]) by smtp.gentoo.org (Postfix) with ESMTP id 3C9CF343386 for ; Thu, 23 Jan 2025 07:26:40 +0000 (UTC) Received: from [172.18.0.3] (unknown [172.18.0.3]) by glsamakerdev.dev.gentoo.org (Postfix) with ESMTP id 33509C773A for ; Thu, 23 Jan 2025 07:26:40 +0000 (UTC) Subject: [gentoo-announce] [ GLSA 202501-11 ] PHP: Multiple Vulnerabilities Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-announce@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha512"; boundary="===============8111796535100144192==" From: glsamaker@gentoo.org To: gentoo-announce@lists.gentoo.org Reply-To: security@gentoo.org Date: Thu, 23 Jan 2025 07:26:39 -0000 Message-ID: <173761720020.7.13708687953955352187@3f85d36892cf> X-Archives-Salt: e26a1161-83d2-4766-a95f-a8841278c431 X-Archives-Hash: dbee2bbf48708cbf09c13e6d0e9c4a64 --===============8111796535100144192== Content-Type: text/plain; charset="utf-8" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202501-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: PHP: Multiple Vulnerabilities Date: January 23, 2025 Bugs: #941598 ID: 202501-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been discovered in PHP, the worst of which could lead to arbitrary code execution. Background ========== PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. Affected packages ================= Package Vulnerable Unaffected ------------ ------------ ------------- dev-lang/php < 8.1.30:8.1 Vulnerable! < 8.2.24:8.2 >= 8.2.24:8.2 < 8.3.12:8.3 >= 8.3.12:8.3 Description =========== Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details. Impact ====== Please review the referenced CVE identifiers for details. Workaround ========== There is no known workaround at this time. Resolution ========== All PHP users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/php-8.2.24:8.2" # emerge --ask --oneshot --verbose ">=dev-lang/php-8.3.12:8.3" Gentoo has discontinued support for php 8.1: # emerge --ask --verbose --depclean "dev-lang/php:8.1" References ========== [ 1 ] CVE-2024-8925 https://nvd.nist.gov/vuln/detail/CVE-2024-8925 [ 2 ] CVE-2024-8927 https://nvd.nist.gov/vuln/detail/CVE-2024-8927 [ 3 ] CVE-2024-9026 https://nvd.nist.gov/vuln/detail/CVE-2024-9026 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202501-11 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2025 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 --===============8111796535100144192== Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmeR7y8ACgkQFMQkOaVy +9mqrhAA1jqmbtcT5dBqbNirnwUZXKIPx/C3QE6+qw+29BVsg/c8WS775DXoqAyu qBgYrkWyTviUa+CXjqassB3pnSK9B1cMod1iTJIpI6bGdMs29ixaqbkuPjLXjoyj qM3jKRxAobNGNZ/dSKJAjMYloYxW5gBxpqXvHmXCLYcuSdJkj4S2mH8s2dNY4e/S GwjhTMbjj0MAlhzErYLkaxd2JCXo522eh7VcgDzhXvIGpQwBFsSpeldLjJ9nIode 3U5s4R3JVZWwi8fdXtqvpj78yzA4mi9dnb5ncD9NPET2kfus+YNmEyjRn/MDxL9O fg/AZ4OE9god5pEFetBw5LFtCNcEJLoQf0lwqVzalKbkMV+VK4GfuJLtpUdIlt7b e++JVf2wYXV/UQft/d4MDx1aFmTESoVtCBdH455BkaJEcoRjsKWEjc12ZPxvnJnr ezXrNElQ2YtSrvOmICoAAtgyXapB6Mr8Bq+lQTyqooo0hafuPvvq+yYWH2pWBkR5 8bDBkCw3QbDj0dNknt/GpaB27EfKUN0Nj4ssPV/7tLfx2/Oyvwunlw6OItwvGXAw p0mOk7vZn0fL4jYAt/lGKCl/UowfB/aog2KefrZaaOsPYkd+ypdELOz9JmzwYLGt ebk6Wt6S8GwQCUmFKrLHausdq197N3yK/Eq5vfa6pHkU2Wctv1o= =Wrp6 -----END PGP SIGNATURE----- --===============8111796535100144192==--