Advisories » MGASA-2024-0262

Updated php packages fix security vulnerability

Publication date: 11 Jul 2024
Modification date: 11 Jul 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-5458

Description

This update ships the latest version of php 8.2. It brings fixed
security issues and the usual bug fixes.
Vulnerability:
 A code logic error, filtering functions such as filter_var when
validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the
function will result in invalid user information (username + password
part of URLs) being treated as valid user information. This may lead to
the downstream code accepting invalid URLs as valid and parsing them
incorrectly. (CVE-2024-5458)
Notable fixes:
DOM:
  Fixed bug GH-14343 (Memory leak in xml and dom).
FPM:
  Fixed bug GH-13563 (Setting bool values via env in FPM config fails).
MySQLnd:
  Fix bug GH-14255 (mysqli_fetch_assoc reports error from nested query).
Posix:
  Fix usage of reentrant functions in ext/posix.
Soap:
  Various memory issues
SPL:
  Fixed bug GH-14290 (Member access within null pointer in extension
spl).
Streams:
  Fixed bug GH-11078 (PHP Fatal error triggers pointer being freed was
not allocated and malloc: double free for ptr errors).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=33358
• https://www.php.net/ChangeLog-8.php#8.2.21
• https://www.php.net/ChangeLog-8.php#8.2.20
• https://www.php.net/ChangeLog-8.php#8.2.19
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5458

SRPMS

9/core

• php-8.2.21-2.mga9