I noticed some potential issues with the php:7.4 errata issued on 11/13/22. Here is the equivalent Red Hat errata. Note that the list of affected packages are substantially different between the two errata. As an example, the php-cli package isn’t listed. This means that systems set to do automatic security related updates don’t pick up some of the required php packages. I can of course manually update systems, but I wanted to mention this in case it’s an indicator of a more general issue that needs to be addressed.
I just wanted to note that I think this issue may now be resolved. From a recent chat post, I know there were some updates to the errata engine, and the list of packages for the mentioned PHP errata seems to be updated now so, for example, php-cli is now in the list (and it wasn’t previously). Thank you to the developers!
This still appears to be messed up. The listed package versions do not match the ones on RedHat which is php-7.4.30-1.module+el8.7.0+15886+8e29b882.x86_64.rpm from Nov 8th. When I download the Rocky php-7.4.30-1.module+el8.7.0+1067+0a7071cc.x86_64.rpm its changelog does not show the appropriate CVE’s like it should.
So Rocky 8 still does not have fixed php 7.4 packages as far as I can tell.
We ship the exact php-7.4.30-1 package that they are shipping in that module. What is the issue that you are seeing with the errata and package versions? It is highly likely that the CVE’s that are referenced were fixed in the rebase of 7.4.30, and likely the reason why it wasn’t listed in the changelog.
+15886+8e29b882 are module build service specific (first number is the build number) and does not automatically mean their package and our package are not the same version.
This is the changelog for php 7.4. On a RHEL 8 machine, this is the top 20 lines of the changelog, which looks the same to me.
# dnf repoquery -q php-cli-0:7.4.30-1.module+el8.7.0+15886+8e29b882.x86_64 --changelog | head -n20 Changelog for php-cli-7.4.30-1.module+el8.7.0+15886+8e29b882.x86_64 * Thu Jul 07 2022 Remi Collet <email@example.com> - 7.4.30-1 - rebase to 7.4.30 #2099615 * Wed Jun 22 2022 Remi Collet <firstname.lastname@example.org> - 7.4.19-3 - fix password of excessive length triggers buffer overflow leading to RCE CVE-2022-31626 * Wed Jan 19 2022 Remi Collet <email@example.com> - 7.4.19-2 - fix SSRF bypass in FILTER_VALIDATE_URL CVE-2021-21705 - fix Local privilege escalation via PHP-FPM CVE-2021-21703 * Thu May 20 2021 Remi Collet <firstname.lastname@example.org> - 7.4.19-1 - rebase to 7.4.19 #1944110 * Mon Jun 15 2020 Remi Collet <email@example.com> - 7.4.6-4 - fix regression in 7.4.6 with generators and exception