Opened 22 months ago
Closed 22 months ago
#16649 closed enhancement (fixed)
php-8.1.7 (eeds security advisory)
Reported by: | Bruce Dubbs | Owned by: | Bruce Dubbs |
---|---|---|---|
Priority: | elevated | Milestone: | 11.2 |
Component: | BOOK | Version: | git |
Severity: | normal | Keywords: | |
Cc: |
Description
New point version.
Change History (6)
comment:1 by , 22 months ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:2 by , 22 months ago
comment:3 by , 22 months ago
Priority: | normal → elevated |
---|
These appear to be brand new CVEs, which are still marked as RESERVED
Looking on Google shows a Twitter post from a security researcher who plans on demoing remote exploits at a conference coming later this month: https://twitter.com/cfreal_/status/1534940109434507264
In addition, PHP says here https://twitter.com/official_php/status/1534930599403823105 the words "Please Update!"
Still trying to find details at this time, but it looks like mysqlnd is vulnerable to remote code execution via a buffer overflow (see https://bugs.php.net/bug.php?id=81719) and pgsql is vulnerable to remote code execution due to the way PHP handled uninitialized arrays (see https://bugs.php.net/bug.php?id=81720)
Since we do not have CVE information yet, let's rate these as "High" in the security advisory. We can update it later with the information from NVD or Red Hat.
comment:4 by , 22 months ago
Fixed at commit 199a3cedaa
Will close when we get details on CVE-2022-31625 and CVE-2022-31626.
comment:5 by , 22 months ago
Summary: | php-8.1.7 → php-8.1.7 (eeds security advisory) |
---|
comment:6 by , 22 months ago
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
Security Advisories issued. SA-11.1-061 and 062
09 Jun 2022, PHP 8.1.7