SUSE-SU-2022:3198-2: moderate: Security update for php8-pear

7 Feb 2023

      SUSE Security Update: Security update for php8-pear
______________________________________________________________________________

Announcement ID:    SUSE-SU-2022:3198-2
Rating:             moderate
References:         SLE-24728 
Cross-References:   CVE-2021-32610
CVSS scores:
                    CVE-2021-32610 (NVD) : 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Affected Products:
                    openSUSE Leap 15.4
______________________________________________________________________________

   An update that fixes one vulnerability, contains one
   feature is now available.

Description:

   This update for php8-pear fixes the following issues:

   - Add php8-pear to SLE15-SP4 (jsc#SLE-24728)
   - Update to 1.10.21
     - PEAR 1.10.13
       * unsupported protocol - use --force to continue
       * Add $this operator to _determineIfPowerpc calls
   - Update to 1.10.20
     - Archive_Tar 1.4.14
       * Properly fix symbolic link path traversal (CVE-2021-32610)
     - Archive_Tar 1.4.13
       * Relative symlinks failing (out-of path file extraction)
     - Archive_Tar 1.4.12
     - Archive_Tar 1.4.11
     - Archive_Tar 1.4.10
       * Fix block padding when the file buffer length is a multiple
         of 512 and smaller than Archive_Tar buffer length
       * Don't try to copy username/groupname in chroot jail

   - provides and obsoletes php7-pear-Archive_Tar, former location
     of PEAR/Archive/Tar.php

   - Update to version 1.10.19
     - PEAR 1.10.12
       * adjust dependencies based on new releases
     - XML_Util 1.4.5
       * fix Trying to access array offset on value of type int

   - Update to version 1.10.18
   - Remove pear-cacheid-array-check.patch (upstreamed)
   - Contents of .filemap are now sorted internally

   - Sort contents of .filemap to make build reproducible

   - Recommend php7-openssl to allow https sources to be used
   - Modify metadata_dir for system configuration only
   - Add /var/lib/pear directory where xml files are stored
   - Cleanup %files section

   - Only use the GPG keys of Chuck Burgess. Extracted from the Release
     Manager public keys.
   - Add release versions of PEAR modules

   - Install metadata files (registry, filemap, channels, ...) in
     /var/lib/pear/ instead of /usr/share/php7/PEAR/

   - Update to version 1.10.17

Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Leap 15.4:

      zypper in -t patch openSUSE-SLE-15.4-2023-291=1

Package List:

   - openSUSE Leap 15.4 (noarch):

      php8-pear-1.10.21-150400.9.3.1
      php8-pecl-1.10.21-150400.9.3.1

References:

   https://www.suse.com/security/cve/CVE-2021-32610.html

SUSE-SU-2022:3198-2: moderate: Security update for php8-pear

opensuse-security＠opensuse.org