SUSE-SU-2024:1445-1

Details

This update for php74 fixes the following issues:

CVE-2024-2756: Fixed bypass of security fix applied for CVE-2022-31629 that lead PHP to consider not secure cookies as secure (bsc#1222857)
CVE-2024-3096: Fixed bypass on null byte leading passwords checked via password_verify (bsc#1222858)

Affected Packages(51 packages)

apache2-mod_php74

SUSE Linux Enterprise Module for Web and Scripting 12

Fixed in:

7.4.33-1.65.1

php74

SUSE Linux Enterprise Module for Web and Scripting 12SUSE Linux Enterprise Software Development Kit 12 SP5

Fixed in:

7.4.33-1.65.1

php74-bcmath

SUSE Linux Enterprise Module for Web and Scripting 12

Fixed in:

7.4.33-1.65.1

php74-bz2

SUSE Linux Enterprise Module for Web and Scripting 12

Fixed in:

7.4.33-1.65.1

php74-calendar

SUSE Linux Enterprise Module for Web and Scripting 12

Fixed in:

7.4.33-1.65.1

php74-ctype

SUSE Linux Enterprise Module for Web and Scripting 12

Fixed in:

7.4.33-1.65.1

php74-curl

SUSE Linux Enterprise Module for Web and Scripting 12

Fixed in:

7.4.33-1.65.1

php74-dba

SUSE Linux Enterprise Module for Web and Scripting 12

Fixed in:

7.4.33-1.65.1

php74-dom

SUSE Linux Enterprise Module for Web and Scripting 12

Fixed in:

7.4.33-1.65.1

php74-enchant

SUSE Linux Enterprise Module for Web and Scripting 12

Fixed in:

7.4.33-1.65.1

References

REPORT

https://bugzilla.suse.com/1222857

REPORT

https://bugzilla.suse.com/1222858

WEB

https://www.suse.com/security/cve/CVE-2024-2756

WEB

https://www.suse.com/security/cve/CVE-2024-3096

ADVISORY

https://www.suse.com/support/update/announcement/2024/suse-su-20241445-1/