Your message dated Fri, 28 Oct 2022 21:30:30 +0200
with message-id <y1wt1lmzlzot8...@eldamar.lan>
and subject line Re: Accepted php8.1 8.1.12-1 (source) into unstable
has caused the Debian Bug report #1021138,
regarding php8.1: CVE-2022-31628 CVE-2022-31629
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1021138: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021138
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: php8.1
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for php8.1.
CVE-2022-31628[0]:
| In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar
| uncompressor code would recursively uncompress "quines" gzip files,
| resulting in an infinite loop.
PHP Bug: https://bugs.php.net/bug.php?id=81726
https://github.com/php/php-src/commit/404e8bdb68350931176a5bdc86fc417b34fb583d
https://github.com/php/php-src/commit/432bf196d59bcb661fcf9cb7029cea9b43f490af
CVE-2022-31629[1]:
| In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability
| enables network and same-site attackers to set a standard insecure
| cookie in the victim's browser which is treated as a `__Host-` or
| `__Secure-` cookie by PHP applications.
PHP Bug: https://bugs.php.net/bug.php?id=81727
https://github.com/php/php-src/commit/0611be4e82887cee0de6c4cbae320d34eec946ca
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-31628
https://www.cve.org/CVERecord?id=CVE-2022-31628
[1] https://security-tracker.debian.org/tracker/CVE-2022-31629
https://www.cve.org/CVERecord?id=CVE-2022-31629
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: php8.1
Source-Version: 8.1.12-1
On Fri, Oct 28, 2022 at 06:37:31PM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Format: 1.8
> Date: Fri, 28 Oct 2022 19:32:24 +0200
> Source: php8.1
> Architecture: source
> Version: 8.1.12-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Debian PHP Maintainers <team+pkg-...@tracker.debian.org>
> Changed-By: Ondřej Surý <ond...@debian.org>
> Changes:
> php8.1 (8.1.12-1) unstable; urgency=medium
> .
> * New upstream version 8.1.12
> + CVE-2022-31630: OOB read due to insufficient input validation in
> imageloadfont()
> + CVE-2022-37454: buffer overflow in hash_update() on long parameter
> Checksums-Sha1:
> e90232a73a5a2da9bfad5c326d8a90c658a4aa76 5694 php8.1_8.1.12-1.dsc
> 5edef81be360eba654ea015bdb3fa10654b8ff94 11747176 php8.1_8.1.12.orig.tar.xz
> de98b50219ac62cffdc81ba67b2a55719a7ed055 833 php8.1_8.1.12.orig.tar.xz.asc
> 389af6a53f115e275da3c3592448cc7eb3c385c8 67180 php8.1_8.1.12-1.debian.tar.xz
> 6c6e020d1e8abd088a85dd7c428310a9ba77c6d6 32723
> php8.1_8.1.12-1_amd64.buildinfo
> Checksums-Sha256:
> 90795e4d2e65d029aacd300ae90f374925c43ce689f2967e41a6808ce4e3df46 5694
> php8.1_8.1.12-1.dsc
> 08243359e2204d842082269eedc15f08d2eca726d0e65b93fb11f4bfc51bbbab 11747176
> php8.1_8.1.12.orig.tar.xz
> 3f1a4452a9cfed4c7a4872eef471e0cd18a43ebd5d8d695ffcd483d705d54a53 833
> php8.1_8.1.12.orig.tar.xz.asc
> 168572ef036c1718280ddf3512cdf7990319eb261814f3f741a5de585352df9d 67180
> php8.1_8.1.12-1.debian.tar.xz
> 7037afc052e4e915450b8a91349fe5f2f3b6ade052fb1ec2ae154567a66cb2ac 32723
> php8.1_8.1.12-1_amd64.buildinfo
> Files:
> 3b1f8fd6cca9a906cf242f5e49bc34e2 5694 php optional php8.1_8.1.12-1.dsc
> 6a30e4eb25ff9a73dafe7582ae838c17 11747176 php optional
> php8.1_8.1.12.orig.tar.xz
> 2fd0ab115a84fe8f3a38e4ea2218b467 833 php optional
> php8.1_8.1.12.orig.tar.xz.asc
> 531ac3f146be4d26011bd74dae2f98a1 67180 php optional
> php8.1_8.1.12-1.debian.tar.xz
> 38fec20b5efe2b21774da0b986330432 32723 php optional
> php8.1_8.1.12-1_amd64.buildinfo
>
> -----BEGIN PGP SIGNATURE-----
>
> iQKTBAEBCgB9FiEEw2Gx4wKVQ+vGJel9g3Kkd++uWcIFAmNcHk5fFIAAAAAALgAo
> aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEMz
> NjFCMUUzMDI5NTQzRUJDNjI1RTk3RDgzNzJBNDc3RUZBRTU5QzIACgkQg3Kkd++u
> WcLHTw//dm0yY2ewj0kpC32mNo/1mijOM/kafe247ujZgmfX52vUA+WLOGn532eG
> RYBi6KmKpYxxK+3ThEGRNdGk7px8pmButGzaU+myeRhFSIciQB4IB0J+YtUXtuBp
> 8F946T8yKvoGT+WqPbA1BdE77F92tqbHdObzAoHEl4cRTaY2Wxp+zR8F0Vz/Wd0o
> TrJBzKMwm7skLJ44WLXcOJ0DSEerDHFO9lRpEzo/aYedv6OjtV7PvBbcDkAKvQAP
> CjO5AbKcT2McAMZL///KryJAksfkCvdUg3zOEAva8js1b03rzT9oKc6VrnM41WT3
> KFciwOCVuzcytGeaR0JC05xmxqD9vbeTRqdk0GsmpFgftkr2RvUhdLC/GsvUByk1
> df4EM2BdWEkCErx9fofeZOJZItMf7+7Cq7dXLMSE+js87GITAn7SpKhpHMp3hU8Q
> dP4TixdhF6uZwwVWZI2aCJ18RmFl+BoyQSNOxU4pYKmtPD0w47ytJhAyuYKO7RpS
> ooLR8KI9Q8zT6IPaILUDnpE/mGBoKL8k9+YAmTWi13io1QTg5A1o4awCRd4MdtzG
> rmB2PDrmQrNZEogeqfYN878xwiagxK7ovYwwXP3NP2NFwu3HoeL+014geJB6RKGl
> i4ba0qavHtBfN0OX9JyUgS2ekfszGVn7tCsiZCoQ+fOXe54ouic=
> =LT9J
> -----END PGP SIGNATURE-----
>
--- End Message ---
