Author: Gina Peter Banyard (Girgias)
Date: 2024-04-24T22:18:15+01:00
Commit:
https://github.com/php/web-php/commit/44532fe2af67ea5c6b7d14c4e8cab0cd7f8bf908
Raw diff:
https://github.com/php/web-php/commit/44532fe2af67ea5c6b7d14c4e8cab0cd7f8bf908.diff
Fix link and HTML markup
Changed paths:
M archive/entries/2024-04-24-1.xml
Diff:
diff --git a/archive/entries/2024-04-24-1.xml b/archive/entries/2024-04-24-1.xml
index 62f4fed063..a378b76602 100644
--- a/archive/entries/2024-04-24-1.xml
+++ b/archive/entries/2024-04-24-1.xml
@@ -9,42 +9,42 @@
<category term="frontpage" label="PHP.net frontpage news"/>
<content type="xhtml">
<div xmlns="http://www.w3.org/1999/xhtml";>
- <p>Recently, a bug in <b>glibc</b> version 2.39 and older (<a
- href="archive/entries/2024-04-24-1.xml">CVE-2024-2961</a>) was
uncovered
+ <p>Recently, a bug in <strong>glibc</strong> version 2.39 and older (<a
+
href="https://nvd.nist.gov/vuln/detail/CVE-2024-2961";>CVE-2024-2961</a>) was
uncovered
where a buffer overflow in character set conversions *to* the
ISO-2022-CN-EXT character set.</p>
-
+
<p>This specific buffer overflow in glibc is exploitable through PHP,
which uses the iconv functionality in glibc to do character set
conversions. Although the bug is exploitable in the context of the PHP
Engine, the bug is not in PHP. It is also not directly exploitable
remotely.</p>
-
+
<p>There are numerous reports online with titles like "Mitigating the
iconv Vulnerability for PHP (CVE-2024-2961)" or "PHP Under Attack".
These
- titles are misleading as this is *not* a bug in PHP itself.</p>
-
+ titles are misleading as this is <em>not</em> a bug in PHP itself.</p>
+
<p>Currently there is no fix for this issue, but there is a workaround
described in <a
href="https://rockylinux.org/news/glibc-vulnerability-april-2024/";>GLIBC
Vulnerability on Servers Serving PHP</a>. It explains a way how to
remove
the problematic character set from glibc. Perform this procedure for
every
gconv-modules-extra.conf file that is available on your system.</p>
-
+
<p>Additionally it is also good practice for applications to accept
only
specific charsets, with an allow-list.</p>
-
+
<p>Some Linux distributions such as <a
href="https://security-tracker.debian.org/tracker/CVE-2024-2961";>Debian</a>,
CentOS, and others, already have published patched variants of glibc.
Please upgrade as soon as possible.</p>
-
+
<p>Once an update is available in glibc, updating that package on your
Linux machine will be enough to alleviate the issue. You do not need to
update PHP, as glibc is a dynamically linked library.</p>
-
+
<p>PHP users on Windows are not affected.</p>
-
+
<p>There will therefore also not be a new version of PHP for this
vulnerability.</p>
</div>
