PHP 7.4 errata affected packages

jdreese · December 5, 2022, 1:29pm

I noticed some potential issues with the php:7.4 errata issued on 11/13/22. Here is the equivalent Red Hat errata. Note that the list of affected packages are substantially different between the two errata. As an example, the php-cli package isn’t listed. This means that systems set to do automatic security related updates don’t pick up some of the required php packages. I can of course manually update systems, but I wanted to mention this in case it’s an indicator of a more general issue that needs to be addressed.

jdreese · February 7, 2023, 12:21pm

I just wanted to note that I think this issue may now be resolved. From a recent chat post, I know there were some updates to the errata engine, and the list of packages for the mentioned PHP errata seems to be updated now so, for example, php-cli is now in the list (and it wasn’t previously). Thank you to the developers!

praines · February 8, 2023, 9:06pm

This still appears to be messed up. The listed package versions do not match the ones on RedHat which is php-7.4.30-1.module+el8.7.0+15886+8e29b882.x86_64.rpm from Nov 8th. When I download the Rocky php-7.4.30-1.module+el8.7.0+1067+0a7071cc.x86_64.rpm its changelog does not show the appropriate CVE’s like it should.

So Rocky 8 still does not have fixed php 7.4 packages as far as I can tell.

nazunalika · February 9, 2023, 12:24am

We ship the exact php-7.4.30-1 package that they are shipping in that module. What is the issue that you are seeing with the errata and package versions? It is highly likely that the CVE’s that are referenced were fixed in the rebase of 7.4.30, and likely the reason why it wasn’t listed in the changelog.

Note that +1067+0a7071cc and +15886+8e29b882 are module build service specific (first number is the build number) and does not automatically mean their package and our package are not the same version.

This is the changelog for php 7.4. On a RHEL 8 machine, this is the top 20 lines of the changelog, which looks the same to me.

# dnf repoquery -q php-cli-0:7.4.30-1.module+el8.7.0+15886+8e29b882.x86_64 --changelog | head -n20
Changelog for php-cli-7.4.30-1.module+el8.7.0+15886+8e29b882.x86_64
* Thu Jul 07 2022 Remi Collet <rcollet@redhat.com> - 7.4.30-1
- rebase to 7.4.30 #2099615

* Wed Jun 22 2022 Remi Collet <rcollet@redhat.com> - 7.4.19-3
- fix password of excessive length triggers buffer overflow leading to RCE
  CVE-2022-31626

* Wed Jan 19 2022 Remi Collet <rcollet@redhat.com> - 7.4.19-2
- fix SSRF bypass in FILTER_VALIDATE_URL
  CVE-2021-21705
- fix Local privilege escalation via PHP-FPM
  CVE-2021-21703

* Thu May 20 2021 Remi Collet <rcollet@redhat.com> - 7.4.19-1
- rebase to 7.4.19 #1944110

* Mon Jun 15 2020 Remi Collet <rcollet@redhat.com> - 7.4.6-4
- fix regression in 7.4.6 with generators and exception

Topic		Replies	Views
Errata.rockylinux.org not updated since Sep 02, 2022 Rocky Linux General	4	629	August 25, 2023
CVE-2022-22720 Apache Vulnerability and ongoing app security patches Rocky Linux General	3	793	August 25, 2023
Question about recent serious CVE-2023-4911 and whether it applies to Rocky 8.8 Rocky Linux General rocky-linux-8	5	1987	December 5, 2023
How do you deal with older git packages in rocky repos? Rocky Linux General	3	336	August 25, 2023
Rocky Linux 9 errata, missing/late 8 errata? Rocky Linux General	4	1295	August 25, 2023

PHP 7.4 errata affected packages

Related Topics