From 3e542feeac8e065151836f1bb5fd8c0e66c7f18f Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Thu, 26 Sep 2024 17:00:00 +0200 Subject: Fix Bypass of CVE-2012-1823, Argument Injection in PHP-CGI CVE-2024-4577 Fix Bypass of CVE-2024-4577, Parameter Injection Vulnerability CVE-2024-8926 Fix cgi.force_redirect configuration is bypassable due to the environment variable collision CVE-2024-8927 Fix Logs from childrens may be altered CVE-2024-9026 Fix Erroneous parsing of multipart form data CVE-2024-8925 use ICU 74.2 --- php.spec | 29 +++++++++++++++++++++++++---- 1 file changed, 25 insertions(+), 4 deletions(-) (limited to 'php.spec') diff --git a/php.spec b/php.spec index c19e38d..2bd4d2e 100644 --- a/php.spec +++ b/php.spec @@ -119,7 +119,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: %{?scl_prefix}php Version: %{upver}%{?rcver:~%{rcver}}%{?gh_date:.%{gh_date}} -Release: 17%{?dist} +Release: 18%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -197,6 +197,10 @@ Patch206: php-cve-2023-3824.patch Patch207: php-cve-2024-2756.patch Patch208: php-cve-2024-3096.patch Patch209: php-cve-2024-5458.patch +Patch210: php-cve-2024-8925.patch +Patch211: php-cve-2024-8926.patch +Patch212: php-cve-2024-8927.patch +Patch213: php-cve-2024-9026.patch # Fixes for tests (300+) # Factory is droped from system tzdata @@ -866,9 +870,9 @@ Group: System Environment/Libraries # All files licensed under PHP version 3.01 License: PHP Requires: %{?scl_prefix}php-common%{?_isa} = %{version}-%{release} -BuildRequires: pkgconfig(icu-i18n) >= 73 -BuildRequires: pkgconfig(icu-io) >= 73 -BuildRequires: pkgconfig(icu-uc) >= 73 +BuildRequires: pkgconfig(icu-i18n) >= 74 +BuildRequires: pkgconfig(icu-io) >= 74 +BuildRequires: pkgconfig(icu-uc) >= 74 %description intl The %{?scl_prefix}php-intl package contains a dynamic shared object that will add @@ -998,6 +1002,10 @@ rm ext/openssl/tests/p12_with_extra_certs.p12 %patch -P207 -p1 -b .cve2756 %patch -P208 -p1 -b .cve3096 %patch -P209 -p1 -b .cve5458 +%patch -P210 -p1 -b .cve8925 +%patch -P211 -p1 -b .cve8926 +%patch -P212 -p1 -b .cve8927 +%patch -P213 -p1 -b .cve9026 # Fixes for tests %patch -P300 -p1 -b .datetests @@ -1889,6 +1897,19 @@ EOF %changelog +* Thu Sep 26 2024 Remi Collet - 7.4.33-18 +- Fix Bypass of CVE-2012-1823, Argument Injection in PHP-CGI + CVE-2024-4577 +- Fix Bypass of CVE-2024-4577, Parameter Injection Vulnerability + CVE-2024-8926 +- Fix cgi.force_redirect configuration is bypassable due to the environment variable collision + CVE-2024-8927 +- Fix Logs from childrens may be altered + CVE-2024-9026 +- Fix Erroneous parsing of multipart form data + CVE-2024-8925 +- use ICU 74.2 + * Mon Aug 26 2024 Remi Collet - 7.4.33-17 - add backport for https://bugs.php.net/79589 error:14095126:SSL routines:ssl3_read_n:unexpected eof while reading -- cgit