UbuntuUpdates.org

Package "php8.1"

Name: php8.1

Description:

server-side, HTML-embedded scripting language (metapackage)
Latest version: 8.1.2-1ubuntu2.17
Release: jammy (22.04)
Level: security
Repository: main
Homepage: http://www.php.net/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "php8.1"

All arch deb package
APT INSTALL

Other versions of "php8.1" in Jammy

Repository Area Version
base universe 8.1.2-1ubuntu2
base main 8.1.2-1ubuntu2
security universe 8.1.2-1ubuntu2.17
updates universe 8.1.2-1ubuntu2.17
updates main 8.1.2-1ubuntu2.17
proposed universe 8.1.2-1ubuntu2.16
proposed main 8.1.2-1ubuntu2.16

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 8.1.2-1ubuntu2.8 2022-11-08 17:07:32 UTC

  php8.1 (8.1.2-1ubuntu2.8) jammy-security; urgency=medium

  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2022-31628-1.patch: adding a recursion limit
      in ext/phar/phar.c, ext/phar/tests/bug81726.phpt.
    - debian/source/include-binaries: add ext/phar/tests/bug81726.gz.
    - debian/patches/CVE-2022-31628-2.patch: avoid a second check in
      ext/phar/phar.c.
    - CVE-2022-31628
  * SECURITY UPDATE: Cookie injection
    - debian/patches/CVE-2022-31629.patch: don't mangle HTTP
      variable names that clash with ones that have a specific semantic
      meaning in ext/standard/test/bug81727.phpt,
      main/php_variables.c.
    - CVE-2022-31629
  * SECURITY UPDATE: Out of bounds read
    - debian/patches/CVE-2022-31630.patch: adds validation in
      imageloadfont() for OOB in ext/gd/gd.c, ext/gd/tests/bug81739.phpt.
    - CVE-2022-31630
  * SECURITY UPDATE: Buffer overflow
    - debian/patches/CVE-2022-37454.patch: fixes buffer overflow in
      hash_update() on long parameter in
      ext/hash/sha3/generic32lc/KeccakSponge.inc,
      ext/hash/sha3/generic64lc/KeccakSponge.inc.
    - CVE-2022-37454

 -- Leonidas Da Silva Barbosa <email address hidden> Wed, 02 Nov 2022 10:35:25 -0300
Source diff to previous version
CVE-2022-31628 In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infini
CVE-2022-31629 In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a standard insecure cookie in the
CVE-2022-37454 The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute

Version: 8.1.2-1ubuntu2.2 2022-07-25 13:07:15 UTC

  php8.1 (8.1.2-1ubuntu2.2) jammy-security; urgency=medium

  * SECURITY UPDATE: Memory corruption in libmagic
    - debian/patches/CVE-2022-31627.patch: use the same memory allocator in
      ext/fileinfo/libmagic.patch, ext/fileinfo/libmagic/softmagic.c,
      ext/fileinfo/tests/bug81723.phpt.
    - CVE-2022-31627

 -- Marc Deslauriers <email address hidden> Thu, 21 Jul 2022 08:10:37 -0400
Source diff to previous version

Version: 8.1.2-1ubuntu2.1 2022-06-15 13:06:44 UTC

  php8.1 (8.1.2-1ubuntu2.1) jammy-security; urgency=medium

  * SECURITY UPDATE: RCE via Uninitialized array in pg_query_params()
    - debian/patches/CVE-2022-31625.patch: don't free parameters which
      haven't initialized yet in ext/pgsql/pgsql.c,
      ext/pgsql/tests/bug81720.phpt.
    - CVE-2022-31625
  * SECURITY UPDATE: RCE via mysqlnd/pdo password buffer overflow
    - debian/patches/CVE-20022-31626.patch: properly calculate size in
      ext/mysqlnd/mysqlnd_wireprotocol.c.
    - CVE-2022-31626

 -- Marc Deslauriers <email address hidden> Mon, 13 Jun 2022 09:52:54 -0400


About   -   Send Feedback to @ubuntu_updates