Debian alert DLA-4088-1 (php7.4)
| From: | Guilhem Moulin <guilhem@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 4088-1] php7.4 security update | |
| Date: | Thu, 20 Mar 2025 11:43:46 +0100 | |
| Message-ID: | <Z9vxYqGI-RvpkeE4@debian.org> |
------------------------------------------------------------------------- Debian LTS Advisory DLA-4088-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin March 20, 2025 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : php7.4 Version : 7.4.33-1+deb11u8 CVE ID : CVE-2025-1217 CVE-2025-1219 CVE-2025-1734 CVE-2025-1736 CVE-2025-1861 Multiple security issues were found in PHP, a widely-used open source general purpose scripting language, which could result in HTTP request smuggling, validation bypass or denial of service. CVE-2025-1217 Tim Düsterhus discovered that the header parser of the `http` stream wrapper does not handle folded headers and passes incorrect MIME types to an attached stream notifier. CVE-2025-1219 Tim Düsterhus discovered that when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong `content-type` header is used to determine the charset when the requested resource performs a redirect. CVE-2025-1734 It was discovered that the streams HTTP wrapper does not fail for headers with invalid name and no colon, thereby violating RFC-mandated behavior. CVE-2025-1736 It was discovered that the stream HTTP wrapper header check might omit basic auth header in some cases. CVE-2025-1861 It was discovered that the stream HTTP wrapper truncate redirect location to 1024 bytes, while the RFC-recommended length is 8000 and browsers usually limit to around 2048. GHSA-wg4p-4hqh-c3g9 An out of bound read was discovered in the XML parsing logic when `XML_OPTION_SKIP_TAGSTART` is set to a high value and the XML document has shorter tag names than expected. For Debian 11 bullseye, these problems have been fixed in version 7.4.33-1+deb11u8. We recommend that you upgrade your php7.4 packages. For the detailed security status of php7.4 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/php7.4 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmfb8VwACgkQ05pJnDwh pVI7dQ//SymSe+f3p3ybm1NVRcQM+pWXfFfQHPaFYNH4kX8Gtg390vTiPK3jPX7L Y6hPI9uaZFZDzuQwFxPP4c43o2qvw4bkuHbs30EWK9Idwk3d8sq0u8znh5RX8LHe Vi36caV0KRXVIaj/cxGqAhlN70m4PpVUWvQYFb+0tj1UvsOMfGqAdOawml2F67Zo PTwEMj7HdUozSfAtDgHyTWZq8/irgp7+GMJfCvAiSDCcdYFWLy057nuDkuafXB8H NW+jkbV1yikjTQbDDE4DsrbwrYWDOSVLL5s9n2acR+thQX6hqAGgkzpF4iacDGPW E530qDgMJJDV+onU/PieU5gFXmArZAqDrHwHj7nTuvemrxo2GqmUgqIxtZKwYRA5 mH0JeLHJ0dyt/Ciq8GgI+lWuDdIZOqzNhfmoKz+zWbPmawwS+glVjQXqZIduMX99 aBivuJw421ANkZrm8gUcOVav8Vjkze9VEMj/sLgWhJMzzFo0ymOop+avXivuerG1 isI5mNwcSxzs1rp8y2dsie9zLZfNe5SWKaUbY1uZbv+72UafhdL2Ru+ztdfOOVSD CqS4RECNNcVtNqFnUthB2eSVlUO7+WlLQ0lh+etCUzaY5J7jZjcAAO/aEltfE0ia UyGPnH7MTSCqxyNXQvpo7Ua/FEnA6SeQtG/GACFVVNbFC39gZV4= =26T/ -----END PGP SIGNATURE-----