Your message dated Sat, 2 Sep 2023 20:54:37 +0200
with message-id <ZPOE7SOxuvze/v...@eldamar.lan>
and subject line [ftpmas...@ftp-master.debian.org: Accepted php8.2 8.2.10-1
(source) into unstable]
has caused the Debian Bug report #1043477,
regarding php8.2: CVE-2023-3823 CVE-2023-3824
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1043477: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1043477
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: php8.2
Version: 8.2.7-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 8.2.7-1~deb12u1
Hi,
The following vulnerabilities were published for php8.2.
CVE-2023-3823[0]:
| In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.*
| before 8.2.8 various XML functions rely on libxml global state to
| track configuration variables, like whether external entities are
| loaded. This state is assumed to be unchanged unless the user
| explicitly changes it by calling appropriate function. However,
| since the state is process-global, other modules - such
| as ImageMagick - may also use this library within the same process,
| and change that global state for their internal purposes, and leave
| it in a state where external entities loading is enabled. This can
| lead to the situation where external XML is parsed with external
| entities loaded, which can lead to disclosure of any local files
| accessible to PHP. This vulnerable state may persist in the same
| process across many requests, until the process is shut down.
CVE-2023-3824[1]:
| In PHP version 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.*
| before 8.2.8, when loading phar file, while reading PHAR directory
| entries, insufficient length checking may lead to a stack buffer
| overflow, leading potentially to memory corruption or RCE.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-3823
https://www.cve.org/CVERecord?id=CVE-2023-3823
[1] https://security-tracker.debian.org/tracker/CVE-2023-3824
https://www.cve.org/CVERecord?id=CVE-2023-3824
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: php8.2
Source-Version: 8.2.10-1
This upload fixes as well #1043477, tracking bug for CVE-2023-3823 and
CVE-2023-3824.
----- Forwarded message from Debian FTP Masters
<ftpmas...@ftp-master.debian.org> -----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 02 Sep 2023 08:31:05 +0200
Source: php8.2
Architecture: source
Version: 8.2.10-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PHP Maintainers <team+pkg-...@tracker.debian.org>
Changed-By: Ondřej Surý <ond...@debian.org>
Changes:
php8.2 (8.2.10-1) unstable; urgency=medium
.
* New upstream version 8.2.10
* Enable DTrace on all architectures
Checksums-Sha1:
9fb1d06aa69fcadbc447f400afbd96368c2dcda6 5694 php8.2_8.2.10-1.dsc
677c4f2c1091afdedb9455dac77ce2e8efc973c0 12041348 php8.2_8.2.10.orig.tar.xz
852d4d8ab95c239a927ed2ad0b68822c5dafe5af 858 php8.2_8.2.10.orig.tar.xz.asc
9231fdcd753025966bc280f3b34cc386373acdfc 69500 php8.2_8.2.10-1.debian.tar.xz
65a037944703da7079f13300ff6089676ae7d0e9 32858 php8.2_8.2.10-1_amd64.buildinfo
Checksums-Sha256:
c4a4fcafce9d2323cd0b9f7c17977d56e5db77688dbae27bc53bb07c773048e6 5694
php8.2_8.2.10-1.dsc
561dc4acd5386e47f25be76f2c8df6ae854756469159248313bcf276e282fbb3 12041348
php8.2_8.2.10.orig.tar.xz
7697adb0dbbc66d3edfa32cdca7dbd2c5d548974e6594eddc91fa23526c22a8c 858
php8.2_8.2.10.orig.tar.xz.asc
a8954e3cfa3199b6984511875702da260605c17266f55e951e19fddb4ca11240 69500
php8.2_8.2.10-1.debian.tar.xz
b0c6589d8bd3ae0feb7e8a2e55b414b1f3767de0b757410380ce6562f4c9fc74 32858
php8.2_8.2.10-1_amd64.buildinfo
Files:
ba4b051ada62d347bd40921bb612a4c3 5694 php optional php8.2_8.2.10-1.dsc
7cf41ae950f76e031599129f7cac6719 12041348 php optional
php8.2_8.2.10.orig.tar.xz
44ea3744a42f39a86235b4efc7026181 858 php optional php8.2_8.2.10.orig.tar.xz.asc
2e7fdad7613dd249bdf3aa809132ada9 69500 php optional
php8.2_8.2.10-1.debian.tar.xz
15d73db1556a5e75cb2064fc9b3455c3 32858 php optional
php8.2_8.2.10-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEw2Gx4wKVQ+vGJel9g3Kkd++uWcIFAmTy6oVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEMz
NjFCMUUzMDI5NTQzRUJDNjI1RTk3RDgzNzJBNDc3RUZBRTU5QzIACgkQg3Kkd++u
WcK32hAAlcSes+txDocfhBc1/3b/HEU3/ybU/ifnJkjyWJxPVhytpaKqY2fBVXGv
aPf36viOY1lGP/wd3PAPvGHgxSN8AGXgsvo+Huful2ztyIVyUaTHFhPGzmZ+zMVx
CvN8hfN+RspUvV5B6klKUMA1vT8g2BryBJL3QbM8KW/mI+AMAPpBd/wEZOD+aIAc
/ri8WBxgCRTQh5NEs5ss7DIRiFmI0dbL41qQ67sej2ETntkFKdmcfGcxlmWENYcL
Zl7gzN/aJnTStXUG9tkvbnZrLLUnd7sOjLjTQvHj3CevHkEZq1xXoYYVd+x59tZQ
85qiWiTo5oVoBWIURKc0MGG8UeqyxX+ylp2oAp2cpqlTe96FBhqRkzzNirwq1M1r
lOhoxuJRuoosGt8nYAN+hv0jYEOj+X/sxcRspM09QN11um9sbeDjczOa49rOW5TN
jcbuPCYg0ftirCx+/Kmfe24AXKVg2xRRPRYvzNYDtwEw4MOmVtYMPtUz9LnGDZj1
lPAABxGT6ft79bm7BIaEOiazU08kujpNbW3hIZXcCsyg2/fTY8LKlHzQ5NlrNlKq
Bi99Sjf3A/C44F+/eCt4J1NfI0ZoZAiOIDGGlVvL5y2uQNNFqW5oh2rN3V2KazfI
chEkhCPzYx0kxeLzsyr1Uu+SzHwH0acDhZesV5ijhjsRtkmfqn0=
=LrF2
-----END PGP SIGNATURE-----
----- End forwarded message -----
--- End Message ---
