php:8.0 security update
エラータID: AXSA:2023-6531:01
以下項目について対処しました。
[Security Fix]
- PHP の password_verify() 関数には、不正な形式の Blowfish ハッシュ
値を有効なものとして取り扱ってしまう問題があるため、ローカルの
攻撃者により、アプリケーションが不正なパスワードを有効なもの
として処理してしまうことを可能とする脆弱性が存在します。
(CVE-2023-0567)
- PHP の パス解決関数には、割り当てるバッファサイズが 1 バイト分
不足しているためにバッファの範囲外に NULL 値が書き込まれてしまう
問題があるため、リモートの攻撃者により、 システムで設定された
MAXPATHLEN の値に近い長さのパスの解決を介して、不正なデータ
の読み取りや書き込みを可能とする脆弱性が存在します。
(CVE-2023-0568)
- PHP には、Web ページのフォームからアップロードされる情報の数
が多すぎる場合、大量のログのエントリ数を消費してしまう問題がある
ため、リモートの攻撃者により、リソース枯渇に伴うサービス拒否攻撃
を可能とする脆弱性が存在します。(CVE-2023-0662)
- PHP には、SOAP HTTP ダイジェスト認証を利用する場合、乱数値
の生成の失敗をチェックしておらず想定よりも狭い範囲の乱数を使用
してしまう問題があるため、リモートの攻撃者により、ナンスの推測
を可能とする脆弱性が存在します。(CVE-2023-3247)
- PHP には、外部エンティティ参照の制限に問題があるため、リモート
の攻撃者により、外部エンティティを読み込んだ状態で外部 XML を解析
することを介して、PHP からアクセス可能な任意のローカルファイル
の読み取りを可能とする脆弱性が存在します。(CVE-2023-3823)
- PHP の PHAR ディレクトリエントリの読み込み処理には、ファイル
名の長さの検証に問題があるため、リモートの攻撃者により、バッファ
オーバーフローの発生とこれに起因するメモリ破壊やリモートコード
実行を可能とする脆弱性が存在します。(CVE-2023-3824)
Modularity name: php
Stream name: 8.0
パッケージをアップデートしてください。
In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid.
In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, core path resolution function allocate buffer one byte too small. When resolving paths with lengths close to system MAXPATHLEN setting, this may lead to the byte after the allocated buffer being overwritten with NUL value, which might lead to unauthorized data access or modification.
In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, excessive number of parts in HTTP form upload can cause high resource consumption and excessive number of log entries. This can cause denial of service on the affected server by exhausting CPU resources or disk space.
In PHP versions 8.0.* before 8.0.29, 8.1.* before 8.1.20, 8.2.* before 8.2.7 when using SOAP HTTP Digest Authentication, random value generator was not checked for failure, and was using narrower range of values than it should have. In case of random generator failure, it could lead to a disclosure of 31 bits of uninitialized memory from the client to the server, and it also made easier to a malicious server to guess the client's nonce.
In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed to be unchanged unless the user explicitly changes it by calling appropriate function. However, since the state is process-global, other modules - such as ImageMagick - may also use this library within the same process, and change that global state for their internal purposes, and leave it in a state where external entities loading is enabled. This can lead to the situation where external XML is parsed with external entities loaded, which can lead to disclosure of any local files accessible to PHP. This vulnerable state may persist in the same process across many requests, until the process is shut down.
In PHP version 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE.
N/A
SRPMS
- libzip-1.7.3-1.module+el8+1674+5c4565fd.src.rpm
MD5: 0a7a1532058e9a1c01054dde85d84677
SHA-256: 01f1d44b0a597fedc268bcf54c1e696cda8099c91f58b040b473e4d4b1c6af56
Size: 746.87 kB - php-pear-1.10.13-1.module+el8+1674+5c4565fd.src.rpm
MD5: db4b84e0a8b336d0e3980ae00b5545e9
SHA-256: 88736c753652ab5432ead431f172dd8cf7fefc7d2b86dc428a2cf3c5f8d3298c
Size: 380.39 kB - php-pecl-apcu-5.1.20-1.module+el8+1674+5c4565fd.src.rpm
MD5: c754bc7b96cb572af6f6c0defb3b0201
SHA-256: 763757693df9d246933748d597518e634736b84afb831bf16d3a8c476f2566d8
Size: 109.60 kB - php-pecl-rrd-2.0.3-1.module+el8+1674+5c4565fd.src.rpm
MD5: f036a9b37922315d12e5dfadbcbc0cbd
SHA-256: 3e760e4e0758c616d2f200fbd42ca87973b3ebc59601f2322e85c9fe0354047f
Size: 33.67 kB - php-pecl-xdebug3-3.1.2-1.module+el8+1674+5c4565fd.src.rpm
MD5: 9bad264ad2622c0273cb828e430c17a6
SHA-256: 502db637ddf8d4915efc3cc5c61664b99c32667e36bf5970392bf5a402535712
Size: 481.11 kB - php-pecl-zip-1.19.2-1.module+el8+1674+5c4565fd.src.rpm
MD5: e2002852bada5f20fa09bc76870defe1
SHA-256: 8b0b0f11e13bd727665462013f415bf8bbe1f60cdc050b4c5c31773d07fd0900
Size: 331.42 kB - php-8.0.30-1.module+el8+1674+5c4565fd.src.rpm
MD5: 6a5c0e4054195ee1865856ff780d7224
SHA-256: e3db9731f54225b7a9d22d8c24e975dc211fb65e7d3e8519cd27fbc22ec2bab6
Size: 10.49 MB
Asianux Server 8 for x86_64
- apcu-panel-5.1.20-1.module+el8+1674+5c4565fd.noarch.rpm
MD5: 680a3e7c95cb57f920f2b1b447154abd
SHA-256: 6f2132c1d2973e458bf0898d4c7163b438409a68ab27fdc4beef091df5d173ef
Size: 22.34 kB - libzip-1.7.3-1.module+el8+1674+5c4565fd.x86_64.rpm
MD5: e3a48ee659a15afae30eeb9d42abb166
SHA-256: edb1b36b768b880148dfee1a489b6b63654482b60e3dc4a8ce669f51068b3051
Size: 65.99 kB - libzip-debugsource-1.7.3-1.module+el8+1674+5c4565fd.x86_64.rpm
MD5: 0600ac5aaf01dd54a27eb806baef0fcb
SHA-256: d1b62e0fc1d18fa7524f0f57053c47051ffb718faaeb5db1eeeafea20463fe50
Size: 104.78 kB - libzip-devel-1.7.3-1.module+el8+1674+5c4565fd.x86_64.rpm
MD5: d0fb71618db2c558260078e9e4871998
SHA-256: 356a016618c0ac5735ecd97d44c7fd88a72b29d9a7078653f0bb63ad5dea88fb
Size: 188.52 kB - libzip-tools-1.7.3-1.module+el8+1674+5c4565fd.x86_64.rpm
MD5: bbfbfb3d0b4d92d3398bbfa722028a74
SHA-256: 4e22c22dcdce416ade5384246621f9d34c3432852a296d2cd9b75d00cdd01e66
Size: 43.12 kB - php-8.0.30-1.module+el8+1674+5c4565fd.x86_64.rpm
MD5: 3fff9861781c350a814bda69d8fedac7
SHA-256: 23653ea39afd70d4381c415c059253b290e2c9c2b986ff7a08bf97dc819fbd02
Size: 1.55 MB - php-bcmath-8.0.30-1.module+el8+1674+5c4565fd.x86_64.rpm
MD5: 75a8440b654378090117c6729e0b7ea8
SHA-256: 6b49cb6e940a930c556c3496a4d8c23b6c275c9e6ce1fb9f0f8f45924d1c8fa9
Size: 79.71 kB - php-cli-8.0.30-1.module+el8+1674+5c4565fd.x86_64.rpm
MD5: f37a3d43a4bc5f83698a88c10649d45a
SHA-256: 2b94b76afb3dce3e9193c1d4d4d67230189ffab86cc3828fff4c14025a529d99
Size: 3.14 MB - php-common-8.0.30-1.module+el8+1674+5c4565fd.x86_64.rpm
MD5: a2fd4074dd9819801bd964ec41402f73
SHA-256: bf56d4f944422edded42766a2948269101c33056c131fdb12c1563e60e64a6f0
Size: 724.81 kB - php-dba-8.0.30-1.module+el8+1674+5c4565fd.x86_64.rpm
MD5: 138abfc5ac8506f5cb888c83e26d87a3
SHA-256: b226707ce5f3d3eb35b638ba0ff337a8efc8cc96e4e0af6d5c7f22c3f1ee992a
Size: 78.24 kB - php-dbg-8.0.30-1.module+el8+1674+5c4565fd.x86_64.rpm
MD5: ded135301491d16e2b127f1c756b08ce
SHA-256: fbcdf04889d50e2bb0e7f9d55bc074799299988f7bc1085bacc154f542dbd501
Size: 1.66 MB - php-debugsource-8.0.30-1.module+el8+1674+5c4565fd.x86_64.rpm
MD5: 97e7ce2f5338b896be7aa316474be1c8
SHA-256: 4ae52d377afdd30354cc87b9890114b60dd45099bb107be9d8263e43dee6d6a1
Size: 4.31 MB - php-devel-8.0.30-1.module+el8+1674+5c4565fd.x86_64.rpm
MD5: f0c79f10ca09bf5b2df12cec2e13a142
SHA-256: 6f7c47ca3ae67058366e4274890e7cd9a9a0c2f536c6277671b043502d329d3d
Size: 774.41 kB - php-embedded-8.0.30-1.module+el8+1674+5c4565fd.x86_64.rpm
MD5: cd9e77eb42d8d7f4de544be4e883722a
SHA-256: 37dc7598b3d83ddc53e0b0daa259a859c971db66cea0e0f73273bbd93aadeccd
Size: 1.54 MB - php-enchant-8.0.30-1.module+el8+1674+5c4565fd.x86_64.rpm
MD5: a22774a1d9b5a0a893a6c9413bc9ea6c
SHA-256: cf44ad7cc292d4d5168c907bb5b1a605309b0a2f5d4a0f7d95734c8283a1a857
Size: 64.31 kB - php-ffi-8.0.30-1.module+el8+1674+5c4565fd.x86_64.rpm
MD5: b5297275bcc81f460eced7faa89e33da
SHA-256: 269702666ec1dde59b6bcd042324973a8a81e0dd98b4d350da68f2af986c4dab
Size: 116.45 kB - php-fpm-8.0.30-1.module+el8+1674+5c4565fd.x86_64.rpm
MD5: b25f7ac6a49dbea62dfad86b1de67bd8
SHA-256: 7fbdd89faf2e910b512018fda6edf3f823aad9e64ddf56104c5683bbdcb07a96
Size: 1.64 MB - php-gd-8.0.30-1.module+el8+1674+5c4565fd.x86_64.rpm
MD5: 8c5ba1740033944a35d1c186eceaa2e6
SHA-256: e3a09c8b53e472bd0c40e3e6a236df63837ee03965da5753311091e63f094460
Size: 84.53 kB - php-gmp-8.0.30-1.module+el8+1674+5c4565fd.x86_64.rpm
MD5: cd86d5591dec50b75d610cd695ad4b3b
SHA-256: 0aed8b983cf1b8a66353e15c6de1209b4c93a594bcaa5f3754b2be05ae17de5c
Size: 77.60 kB - php-intl-8.0.30-1.module+el8+1674+5c4565fd.x86_64.rpm
MD5: a8f1a42d881d16818b59342a72aebc3d
SHA-256: 606affe9fe41eea80cc041f3560f1a077d5d402547fe2c32ebf278af49d291b4
Size: 191.06 kB - php-ldap-8.0.30-1.module+el8+1674+5c4565fd.x86_64.rpm
MD5: 89a4651ec9f9e3e55c3f8f1719d185af
SHA-256: c03dc533ac916f5aa1945bbd7b1aba096fbbc1977627204fc393f3aab174d2db
Size: 84.41 kB - php-mbstring-8.0.30-1.module+el8+1674+5c4565fd.x86_64.rpm
MD5: d529de05b5cc657def8a105f240153e7
SHA-256: 60c2cddec9326b8cb7dbdca0dc17c46f74b2c8f97fcd394a7d31a12dc5720326
Size: 481.36 kB - php-mysqlnd-8.0.30-1.module+el8+1674+5c4565fd.x86_64.rpm
MD5: 294719271af8a1948959072f8ab1a419
SHA-256: 1a27ca1af6af9a9679155292dab039cea7e5d78e0343c1e82a057b4617858f01
Size: 192.06 kB - php-odbc-8.0.30-1.module+el8+1674+5c4565fd.x86_64.rpm
MD5: 514a60cdef27763e40296109e96c136f
SHA-256: ba9e9c371c8631afd6f41519f58c99c4fb142b2c7d9680a186fe9ade62a493a5
Size: 88.90 kB - php-opcache-8.0.30-1.module+el8+1674+5c4565fd.x86_64.rpm
MD5: c24d03f629a40a583345774d1bd333cd
SHA-256: 77149d16856c176f8ddacad21f39c5efe3a45070687f0cfd976eaf72d22cd378
Size: 548.04 kB - php-pdo-8.0.30-1.module+el8+1674+5c4565fd.x86_64.rpm
MD5: c942dad82a8bcbb5269264b75bf1e1a0
SHA-256: bd3638096c0b84dc95623dfae47ac48a0bdbaaeaff961fb77859baf7292fdbcf
Size: 126.06 kB - php-pear-1.10.13-1.module+el8+1674+5c4565fd.noarch.rpm
MD5: 2692fdd5b7246fa50f207b88dd0bee1b
SHA-256: 14b75a292232dab089aba47f4e4445f02e071aadf64e5a59bc2305bc4cc04f22
Size: 360.49 kB - php-pecl-apcu-5.1.20-1.module+el8+1674+5c4565fd.x86_64.rpm
MD5: ed6667442e6c96bff802b0b0556812aa
SHA-256: ee6ac8c67e23800129578a38db76f82938b4de2d834009a04e3311d6c31ebec0
Size: 64.07 kB - php-pecl-apcu-debugsource-5.1.20-1.module+el8+1674+5c4565fd.x86_64.rpm
MD5: 3380ab93074008f90aed6bd48bfaff01
SHA-256: a2fa397f459a17ab658397d7043d9b712dde7f6ee2683e5cc81694c14dc85635
Size: 50.23 kB - php-pecl-apcu-devel-5.1.20-1.module+el8+1674+5c4565fd.x86_64.rpm
MD5: ec5e6b342e91b86c98f228ac5ebbb4d5
SHA-256: 3bf00d81bd0dd27d262654830abf3420d0018cf9a3bd7b03e5e0081244098daf
Size: 47.52 kB - php-pecl-rrd-2.0.3-1.module+el8+1674+5c4565fd.x86_64.rpm
MD5: eaeaca86be0f3706c76027161a6159cb
SHA-256: e4a8c76afa8028166790b2979f7c91e9288765448346ccfb5ecd7ab233e4ea23
Size: 30.65 kB - php-pecl-rrd-debugsource-2.0.3-1.module+el8+1674+5c4565fd.x86_64.rpm
MD5: 19b71c799e6361c4c56149e000ad672a
SHA-256: bbdd6f811e6835303a9ad32a1fe7dcbc845a8cd9de191b88864337d6e21abe54
Size: 22.50 kB - php-pecl-xdebug3-3.1.2-1.module+el8+1674+5c4565fd.x86_64.rpm
MD5: 5203990eb21120701b33b01f19389355
SHA-256: 92a1a9404dfc2b66396e9688410eb8a8d05440fdd8273ac98a1b03bcf53845c7
Size: 202.65 kB - php-pecl-xdebug3-debugsource-3.1.2-1.module+el8+1674+5c4565fd.x86_64.rpm
MD5: cf3c8166db8ceec7a3356aefedd4b2a9
SHA-256: f307e304a915b4fac3ee11d92a721ce71819a6ec479852b7693273dc7a082732
Size: 155.90 kB - php-pecl-zip-1.19.2-1.module+el8+1674+5c4565fd.x86_64.rpm
MD5: 3d63602f2cb3414d3f0c711bed4190e6
SHA-256: 4b505fc90b3fc456070bf389b578bbbd5adc22dd37a9e6073a63a1cf0935d328
Size: 55.30 kB - php-pecl-zip-debugsource-1.19.2-1.module+el8+1674+5c4565fd.x86_64.rpm
MD5: d1d9e17766a5130348cfeb0359b512b1
SHA-256: c5e6c1a5639da0d80162e7713a6d01023e0fb58cd3390900955cb4b9f8925ee7
Size: 31.52 kB - php-pgsql-8.0.30-1.module+el8+1674+5c4565fd.x86_64.rpm
MD5: 1fc544ef13088c32a4ff8b52d7bb1fb5
SHA-256: a98ab9c58e9821386fa1743ea1a01f40cee426f161000d4f2f6554147afa47b0
Size: 118.18 kB - php-process-8.0.30-1.module+el8+1674+5c4565fd.x86_64.rpm
MD5: 7544ae5eb2192f55ab3d3551491f271e
SHA-256: b80de815ce67ba5d540b854307d42870e0f7358bee8844897542e2658231bc51
Size: 86.06 kB - php-snmp-8.0.30-1.module+el8+1674+5c4565fd.x86_64.rpm
MD5: 2f4b79afd55b3cad31844f7395bbadbc
SHA-256: 73817017c1cd0e1a321cda84a0cde4ee7a51dbb023408eea8e6716b417f2d20d
Size: 75.59 kB - php-soap-8.0.30-1.module+el8+1674+5c4565fd.x86_64.rpm
MD5: 3be694645137e913541dd590b589bd53
SHA-256: 87fbfc9f10f44e93c34e326bfb3ff2cf3f25fe6d8c9391c69c661bc584349245
Size: 176.38 kB - php-xml-8.0.30-1.module+el8+1674+5c4565fd.x86_64.rpm
MD5: d77452b56eb60c6d214cde2b8cc901b6
SHA-256: 930d5d64a05e4ceec4f3fd20a4625e8e7e159dc9f659009198815871370b37a6
Size: 176.20 kB