SUSE Package Hub - SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2022-3997

Update Info

SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2022-3997

Security update for php7

Type: security

Severity: important

Issued: 2022-11-15

Description:

This update for php7 fixes the following issues:

- Version update to 7.4.33:
- CVE-2022-31630: Fixed out-of-bounds read due to insufficient input validation in imageloadfont() (bsc#1204979).
- CVE-2022-37454: Fixed buffer overflow in hash_update() on long parameter (bsc#1204577).


- Version update to 7.4.32 (jsc#SLE-23639)
- CVE-2022-31628: Fixed an uncontrolled recursion in the phar uncompressor while decompressing "quines" gzip files. (bsc#1203867)
- CVE-2022-31629: Fixed a bug which could lead an attacker to set an insecure cookie that will treated as secure in the victim's browser. (bsc#1203870)

References

jira: SLE-23639 https://jira.suse.com/browse/SLE-23639
CVE: CVE-2022-37454
CVE: CVE-2022-31630
CVE: CVE-2022-31629
CVE: CVE-2022-31628
CVE: CVE-2022-31626
CVE: CVE-2022-31625
CVE: CVE-2021-21708
CVE: CVE-2021-21707
Bugzilla: 1204979 VUL-0: CVE-2022-31630: php53,php74,php8,php7: php: OOB read due to insufficient input validation in imageloadfont()
Bugzilla: 1204577 VUL-0: CVE-2022-37454: python,php7,php8: SHA-3 Buffer Overflow
Bugzilla: 1203870 VUL-0: CVE-2022-31629: php72,php7,php5,php8,php53,php74: attackers may be able to set an insecure cookie that will treated as secure in the victim's browser
Bugzilla: 1203867 VUL-0: CVE-2022-31628: php5,php72,php74,php8,php53,php7: uncontrolled recursion in the phar uncompressor while decompressing "quines" gzip files

Packages

php7-embed-7.4.33-150400.4.13.1