UbuntuUpdates.org

Package "php8.1"

Name: php8.1

Description:

server-side, HTML-embedded scripting language (metapackage)

Latest version: 8.1.2-1ubuntu2.14
Release: jammy (22.04)
Level: updates
Repository: main
Homepage: http://www.php.net/

Links


Download "php8.1"


Other versions of "php8.1" in Jammy

Repository Area Version
base universe 8.1.2-1ubuntu2
base main 8.1.2-1ubuntu2
security main 8.1.2-1ubuntu2.14
security universe 8.1.2-1ubuntu2.14
updates universe 8.1.2-1ubuntu2.14

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 8.1.2-1ubuntu2.14 2023-08-23 20:07:01 UTC

  php8.1 (8.1.2-1ubuntu2.14) jammy-security; urgency=medium

  * SECURITY UPDATE: Disclosure sensitive information
    - debian/patches/CVE-2023-3823.patch: sanitieze libxml2 globals
      before parsing in ext/dom/document.c, ext/dom/documentfragment.c,
      xml_global_state_entity_loader_bypass.phpt, ext/libxml/php_libxml.h,
      ext/simplexml/simplexml.c, xml_global_state_entity_loader_bypass.phpt,
      ext/soap/php_xml.c, ext/xml/compat.c, ext/xmlreader/php_xmlreader.c,
      xml_global_state_entity_loader_bypass.phpt, ext/xsl/xsltprocessor.c,
      ext/zend_test/test.c, ext/zend_test/test.stub.php.
    - CVE-2023-3823
  * SECURITY UPDATE: Stack buffer overflow
    - debian/patches/CVE-2023-3824.patch: fix buffer mismanagement in
      phar_dir_read(), and in files ext/phar/dirstream.c,
      ext/phar/tests/GHSA-jqcx-ccgx-xwhv.phpt.
    - CVE-2023-3824

 -- Leonidas Da Silva Barbosa <email address hidden> Fri, 18 Aug 2023 08:41:11 -0300

Source diff to previous version

Version: 8.1.2-1ubuntu2.13 2023-07-03 17:07:11 UTC

  php8.1 (8.1.2-1ubuntu2.13) jammy-security; urgency=medium

  * SECURITY UPDATE: Missing error check and insufficient random
    bytes
    - debian/patches/CVE-2023-3247-1.patch: fixes missing randomness
      check and insufficient random byes for SOAP HTTP digest
      in ext/soap/php_http.c.
    - debian/patches/CVE-2023-3247-2.patch: fix wrong backporting of previous
      soap patch.
    - CVE-2023-3247

 -- Leonidas Da Silva Barbosa <email address hidden> Wed, 28 Jun 2023 11:01:49 -0300

Source diff to previous version
CVE-2023-3247 GHSA-76gg-c692-v2mw: Missing error check and insufficient random bytes in HTTP Digest authentication for SOAP

Version: 8.1.2-1ubuntu2.11 2023-02-28 21:06:58 UTC

  php8.1 (8.1.2-1ubuntu2.11) jammy-security; urgency=medium

  * SECURITY UPDATE: password_verify() accepts invalid Blowfish hashes
    - debian/patches/CVE-2023-0567-1.patch: fix validation of malformed
      BCrypt hashes in ext/standard/crypt_blowfish.c,
      ext/standard/tests/crypt/bcrypt_salt_dollar.phpt.
    - debian/patches/CVE-2023-0567-2.patch: fix possible buffer overread in
      php_crypt() in ext/standard/crypt.c,
      ext/standard/tests/password/password_bcrypt_short.phpt.
    - CVE-2023-0567
  * SECURITY UPDATE: off-by-one in core path resolution function
    - debian/patches/CVE-2023-0568.patch: fix array overrun when appending
      slash to paths in ext/dom/document.c, ext/xmlreader/php_xmlreader.c,
      main/fopen_wrappers.c.
    - CVE-2023-0568
  * SECURITY UPDATE: DoS via excessive number of parts in HTTP form upload
    - debian/patches/CVE-2023-0662-1.patch: introduce
      max_multipart_body_parts INI in main/main.c, main/rfc1867.c,
      sapi/fpm/tests/*, sapi/fpm/tests/tester.inc.
    - debian/patches/CVE-2023-0662-2.patch: fix repeated warning for file
      uploads limit exceeding in main/rfc1867.c.
    - CVE-2023-0662

 -- Marc Deslauriers <email address hidden> Wed, 22 Feb 2023 17:56:18 -0500

Source diff to previous version
CVE-2023-0567 In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3 ...
CVE-2023-0568 In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, core path resolution function allocate buffer one byte too small. When resolv
CVE-2023-0662 In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, excessive number of parts in HTTP form upload can cause high resource consump

Version: 8.1.2-1ubuntu2.10 2023-01-23 16:08:00 UTC

  php8.1 (8.1.2-1ubuntu2.10) jammy-security; urgency=medium

  * SECURITY UPDATE: Integer overflow
    - debian/patches/CVE-2022-31631-*.patch: fix check
      unquotedlen size in ext/pdo_sqlite/sqlite_driver.c.
    - CVE-2022-31631

 -- Leonidas Da Silva Barbosa <email address hidden> Mon, 16 Jan 2023 12:19:49 -0300

Source diff to previous version

Version: 8.1.2-1ubuntu2.9 2022-11-24 20:06:21 UTC

  php8.1 (8.1.2-1ubuntu2.9) jammy; urgency=medium

  * d/p/0049-Preserve-file-position-when-php-temp-switches.patch: PHP provides
    a temporary data stream, php://temp, whose contents are moved to a
    temporary file when a predefined size limit is hit. In jammy, the file
    position is set to the end of the file, which results in corrupted/unwanted
    data. Fix this by preserving the file position in this situation.
    (LP: #1990302)

 -- Athos Ribeiro <email address hidden> Wed, 19 Oct 2022 11:58:09 -0300

1990302 php://temp bug fixed in 8.1.6 is not backported to 8.1.2 release



About   -   Send Feedback to @ubuntu_updates