openSUSE Security Update: Security update for php81 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2024:0115-1 Rating: important References: #1222857 #1222858 Cross-References: CVE-2022-31629 CVE-2024-2756 CVE-2024-3096 CVSS scores: CVE-2022-31629 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2024-2756 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2024-3096 (SUSE): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Affected Products: openSUSE Backports SLE-15-SP5 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for php81 fixes the following issues: Version update to 8.1.28 * Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix). (CVE-2024-2756) (nielsdos) [boo#1222857] * Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true, opening ATO risk). (CVE-2024-3096) (Jakub Zelenka) [boo#1222858] Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP5: zypper in -t patch openSUSE-2024-115=1 Package List: - openSUSE Backports SLE-15-SP5 (aarch64 i586 ppc64le s390x x86_64): apache2-mod_php81-8.1.28-bp155.8.1 php81-8.1.28-bp155.8.1 php81-bcmath-8.1.28-bp155.8.1 php81-bz2-8.1.28-bp155.8.1 php81-calendar-8.1.28-bp155.8.1 php81-cli-8.1.28-bp155.8.1 php81-ctype-8.1.28-bp155.8.1 php81-curl-8.1.28-bp155.8.1 php81-dba-8.1.28-bp155.8.1 php81-devel-8.1.28-bp155.8.1 php81-dom-8.1.28-bp155.8.1 php81-embed-8.1.28-bp155.8.1 php81-enchant-8.1.28-bp155.8.1 php81-exif-8.1.28-bp155.8.1 php81-fastcgi-8.1.28-bp155.8.1 php81-ffi-8.1.28-bp155.8.1 php81-fileinfo-8.1.28-bp155.8.1 php81-fpm-8.1.28-bp155.8.1 php81-ftp-8.1.28-bp155.8.1 php81-gd-8.1.28-bp155.8.1 php81-gettext-8.1.28-bp155.8.1 php81-gmp-8.1.28-bp155.8.1 php81-iconv-8.1.28-bp155.8.1 php81-intl-8.1.28-bp155.8.1 php81-ldap-8.1.28-bp155.8.1 php81-mbstring-8.1.28-bp155.8.1 php81-mysql-8.1.28-bp155.8.1 php81-odbc-8.1.28-bp155.8.1 php81-opcache-8.1.28-bp155.8.1 php81-openssl-8.1.28-bp155.8.1 php81-pcntl-8.1.28-bp155.8.1 php81-pdo-8.1.28-bp155.8.1 php81-pgsql-8.1.28-bp155.8.1 php81-phar-8.1.28-bp155.8.1 php81-posix-8.1.28-bp155.8.1 php81-readline-8.1.28-bp155.8.1 php81-shmop-8.1.28-bp155.8.1 php81-snmp-8.1.28-bp155.8.1 php81-soap-8.1.28-bp155.8.1 php81-sockets-8.1.28-bp155.8.1 php81-sodium-8.1.28-bp155.8.1 php81-sqlite-8.1.28-bp155.8.1 php81-sysvmsg-8.1.28-bp155.8.1 php81-sysvsem-8.1.28-bp155.8.1 php81-sysvshm-8.1.28-bp155.8.1 php81-test-8.1.28-bp155.8.3 php81-tidy-8.1.28-bp155.8.1 php81-tokenizer-8.1.28-bp155.8.1 php81-xmlreader-8.1.28-bp155.8.1 php81-xmlwriter-8.1.28-bp155.8.1 php81-xsl-8.1.28-bp155.8.1 php81-zip-8.1.28-bp155.8.1 php81-zlib-8.1.28-bp155.8.1 - openSUSE Backports SLE-15-SP5 (noarch): php81-fpm-apache-8.1.28-bp155.8.1 References: https://www.suse.com/security/cve/CVE-2022-31629.html https://www.suse.com/security/cve/CVE-2024-2756.html https://www.suse.com/security/cve/CVE-2024-3096.html https://bugzilla.suse.com/1222857 https://bugzilla.suse.com/1222858