Your message dated Thu, 07 Jul 2022 17:08:49 +0000
with message-id <[email protected]>
and subject line Bug#1014533: fixed in php8.1 8.1.7-1
has caused the Debian Bug report #1014533,
regarding php8.1: CVE-2022-31625 CVE-2022-31626
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1014533: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014533
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: php8.1
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for php8.1.
CVE-2022-31625[0]:
| In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x
| below 8.1.7, when using Postgres database extension, supplying invalid
| parameters to the parametrized query may lead to PHP attempting to
| free memory using uninitialized data as pointers. This could lead to
| RCE vulnerability or denial of service.
https://bugs.php.net/bug.php?id=81720
CVE-2022-31626[1]:
| In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x
| below 8.1.7, when pdo_mysql extension with mysqlnd driver, if the
| third party is allowed to supply host to connect to and the password
| for the connection, password of excessive length can trigger a buffer
| overflow in PHP, which can lead to a remote code execution
| vulnerability.
https://bugs.php.net/bug.php?id=81719
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-31625
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31625
[1] https://security-tracker.debian.org/tracker/CVE-2022-31626
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31626
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: php8.1
Source-Version: 8.1.7-1
Done: Ondřej Surý <[email protected]>
We believe that the bug you reported is fixed in the latest version of
php8.1, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ondřej Surý <[email protected]> (supplier of updated php8.1 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 25 Jun 2022 09:57:04 +0200
Source: php8.1
Architecture: source
Version: 8.1.7-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PHP Maintainers <[email protected]>
Changed-By: Ondřej Surý <[email protected]>
Closes: 1014533
Changes:
php8.1 (8.1.7-1) unstable; urgency=medium
.
* New upstream version 8.1.7 (Closes: #1014533)
+ [CVE-2022-31626]: Fixed mysqlnd/pdo password buffer overflow.
+ [CVE-2022-31625]: Fixed uninitialized array in pg_query_params().
* Add Provides: php-json to PHP SAPIS
Checksums-Sha1:
9547dcb9422b06ff99970494345f54879c48f5d4 5684 php8.1_8.1.7-1.dsc
bc3536a5c4ef92043db0735c87fdfe5b375ca533 11718520 php8.1_8.1.7.orig.tar.xz
4af1ec0c8c16a715a1c722510aad30857ea48a6f 833 php8.1_8.1.7.orig.tar.xz.asc
34f3791e5929667ecea7f0fe97ca910a5b9a2d4f 66800 php8.1_8.1.7-1.debian.tar.xz
e0ca1e75c209693cf79481e55f9b0ae0674c4389 32399 php8.1_8.1.7-1_amd64.buildinfo
Checksums-Sha256:
a251b04cdf0cb3b7c5ffdf90e015985821082bcd1b883af45d39d0636232975f 5684
php8.1_8.1.7-1.dsc
f042322f1b5a9f7c2decb84b7086ef676896c2f7178739b9672afafa964ed0e5 11718520
php8.1_8.1.7.orig.tar.xz
097266dfed19c84a165db703ce41d0522a120d9d8243942a2ee72d5b93510488 833
php8.1_8.1.7.orig.tar.xz.asc
457657efa2abe08e98fb74632498bed086ae3714951f11ad122e29a5a33e6eec 66800
php8.1_8.1.7-1.debian.tar.xz
457aeae0db89e2311a5c15867cdfc32bbdcb3bfe7702859fc33041f341c35b29 32399
php8.1_8.1.7-1_amd64.buildinfo
Files:
d0967265b0a6ff190a35638a0feae591 5684 php optional php8.1_8.1.7-1.dsc
f8be7dfca5c241e780f75f3f3ce83b76 11718520 php optional php8.1_8.1.7.orig.tar.xz
22b3f85a28390921e204fd3f9eef7584 833 php optional php8.1_8.1.7.orig.tar.xz.asc
6dc3972d499627e9f4ab4d829f99bb89 66800 php optional
php8.1_8.1.7-1.debian.tar.xz
b566bad223d5ac159a5e09e903fa657f 32399 php optional
php8.1_8.1.7-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEw2Gx4wKVQ+vGJel9g3Kkd++uWcIFAmLHCvBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEMz
NjFCMUUzMDI5NTQzRUJDNjI1RTk3RDgzNzJBNDc3RUZBRTU5QzIACgkQg3Kkd++u
WcKH4Q/9HtO17Ys+IXzfaBiAm/GV9bZC1Edph2wc0TAtDSmYU/783GGHlOJ4PwZp
PKpI2pRvKd3RFjenk/7yonmEOrpC/ovVBOZaB95eAMhFbl7sXJnd74XPbuVmxr9s
7GDdAEvLnUhrD4C0jiQBLvPsS+g+hICIsaI+YiCk0iNRkgKKFRSZL1TPtJFdWCGi
r38kbYGZqlS2G8OE7ySndsgzi3KN3EXp00UeJGWYPiCX1JYjFykegCBkxBNihIy4
mJrNfsADXmuLRG7DYkVkN8gM64QJ79+U4cBkA0L2SZq+s6NBrOWj3uw2pbGQ1bT/
5LKes4NLd5o2c87FuwZYLRjSJ2fxDPmitGR6s07vx/Jzn3hK0dRA5osg5BpPZOV8
p9PV2FoEKPSA98q5HyPrrowOgRVwVaOaBiLkz8p9S5jPZMWmtL59p1AItUXV0nOq
lxmxXy2qqUE6/uTueTaeIE6fRYmuZwZh5d7aEodVWl/3m2S4lgAlt96a/In0aqUo
esUT//iw//3Tg9PoYzsFOw07TwB3RSz/bYgexQx3ayALcffdoWOkWfSNdkOjdDv0
aJXBA32G2/XRTRtg7QChNjCxLTqn8VJRqHpbJnSZ3pFDd/hqtV7crFErC2bvvUQi
QdRKT6kNp+1V9tXZGNZwhMgQ7ijuNF9cfvFnsBfwRIF6WZQgH+U=
=O+Vs
-----END PGP SIGNATURE-----
--- End Message ---
