Advisories » MGASA-2022-0362

Updated php packages fix security vulnerability

Publication date: 08 Oct 2022
Modification date: 08 Oct 2022
Type: security
Affected Mageia releases : 8
CVE: CVE-2022-31628 , CVE-2022-31629

Description

Core
  Fixed bug GH-9323 (Crash in ZEND_RETURN/GC/zend_call_function)
  Fixed bug GH-9361 (Segmentation fault on script exit #9379).
  Fixed bug GH-9407 (LSP error in eval'd code refers to wrong class for
  static type).
  Fixed bug #81727: Don't mangle HTTP variable names that clash with ones
  that have a specific semantic meaning. (CVE-2022-31629)

DOM
  Fixed bug #79451 (DOMDocument->replaceChild on doctype causes double
  free).

FPM
  Fixed bug GH-8885 (FPM access.log with stderr begins to write logs to
  error_log after daemon reload).
  Fixed bug #77780 ("Headers already sent..." when previous connection was
  aborted).

GMP
  Fixed bug GH-9308 (GMP throws the wrong error when a GMP object is
  passed to gmp_init()).

Intl
  Fixed bug GH-9421 (Incorrect argument number for ValueError in
  NumberFormatter).

Phar
  Fixed bug #81726: phar wrapper: DOS when using quine gzip file.
  (CVE-2022-31628)

PDO_PGSQL
  Fixed bug GH-9411 (PgSQL large object resource is incorrectly closed).

Reflection
  Fixed bug GH-8932 (ReflectionFunction provides no way to get the called
  class of a Closure).
  Fixed bug GH-9409 (Private method is incorrectly dumped as
  "overwrites").

Streams
  Fixed bug GH-9316 ($http_response_header is wrong for long status line).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=30913
• https://www.php.net/ChangeLog-8.php#8.0.24
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31628
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31629

SRPMS

8/core

• php-8.0.24-1.mga8