Source: php8.2 Version: 8.2.7-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 8.2.7-1~deb12u1
Hi, The following vulnerabilities were published for php8.2. CVE-2023-3823[0]: | In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* | before 8.2.8 various XML functions rely on libxml global state to | track configuration variables, like whether external entities are | loaded. This state is assumed to be unchanged unless the user | explicitly changes it by calling appropriate function. However, | since the state is process-global, other modules - such | as ImageMagick - may also use this library within the same process, | and change that global state for their internal purposes, and leave | it in a state where external entities loading is enabled. This can | lead to the situation where external XML is parsed with external | entities loaded, which can lead to disclosure of any local files | accessible to PHP. This vulnerable state may persist in the same | process across many requests, until the process is shut down. CVE-2023-3824[1]: | In PHP version 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* | before 8.2.8, when loading phar file, while reading PHAR directory | entries, insufficient length checking may lead to a stack buffer | overflow, leading potentially to memory corruption or RCE. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-3823 https://www.cve.org/CVERecord?id=CVE-2023-3823 [1] https://security-tracker.debian.org/tracker/CVE-2023-3824 https://www.cve.org/CVERecord?id=CVE-2023-3824 Regards, Salvatore