Security update for php74 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:1445-1 Final 1 1 2024-04-26T07:26:52Z current 2024-04-26T07:26:52Z 2024-04-26T07:26:52Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for php74 This update for php74 fixes the following issues: - CVE-2024-2756: Fixed bypass of security fix applied for CVE-2022-31629 that lead PHP to consider not secure cookies as secure (bsc#1222857) - CVE-2024-3096: Fixed bypass on null byte leading passwords checked via password_verify (bsc#1222858) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-1445,SUSE-SLE-Module-Web-Scripting-12-2024-1445,SUSE-SLE-SDK-12-SP5-2024-1445 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20241445-1/ Link for SUSE-SU-2024:1445-1 https://lists.suse.com/pipermail/sle-security-updates/2024-April/018425.html E-Mail link for SUSE-SU-2024:1445-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1222857 SUSE Bug 1222857 https://bugzilla.suse.com/1222858 SUSE Bug 1222858 https://www.suse.com/security/cve/CVE-2024-2756/ SUSE CVE CVE-2024-2756 page https://www.suse.com/security/cve/CVE-2024-3096/ SUSE CVE CVE-2024-3096 page SUSE Linux Enterprise Module for Web and Scripting 12 SUSE Linux Enterprise Software Development Kit 12 SP5 apache2-mod_php74-7.4.33-1.65.1 php74-7.4.33-1.65.1 php74-bcmath-7.4.33-1.65.1 php74-bz2-7.4.33-1.65.1 php74-calendar-7.4.33-1.65.1 php74-ctype-7.4.33-1.65.1 php74-curl-7.4.33-1.65.1 php74-dba-7.4.33-1.65.1 php74-devel-7.4.33-1.65.1 php74-dom-7.4.33-1.65.1 php74-embed-7.4.33-1.65.1 php74-enchant-7.4.33-1.65.1 php74-exif-7.4.33-1.65.1 php74-fastcgi-7.4.33-1.65.1 php74-fileinfo-7.4.33-1.65.1 php74-firebird-7.4.33-1.65.1 php74-fpm-7.4.33-1.65.1 php74-ftp-7.4.33-1.65.1 php74-gd-7.4.33-1.65.1 php74-gettext-7.4.33-1.65.1 php74-gmp-7.4.33-1.65.1 php74-iconv-7.4.33-1.65.1 php74-intl-7.4.33-1.65.1 php74-json-7.4.33-1.65.1 php74-ldap-7.4.33-1.65.1 php74-mbstring-7.4.33-1.65.1 php74-mysql-7.4.33-1.65.1 php74-odbc-7.4.33-1.65.1 php74-opcache-7.4.33-1.65.1 php74-openssl-7.4.33-1.65.1 php74-pcntl-7.4.33-1.65.1 php74-pdo-7.4.33-1.65.1 php74-pgsql-7.4.33-1.65.1 php74-phar-7.4.33-1.65.1 php74-posix-7.4.33-1.65.1 php74-readline-7.4.33-1.65.1 php74-shmop-7.4.33-1.65.1 php74-snmp-7.4.33-1.65.1 php74-soap-7.4.33-1.65.1 php74-sockets-7.4.33-1.65.1 php74-sodium-7.4.33-1.65.1 php74-sqlite-7.4.33-1.65.1 php74-sysvmsg-7.4.33-1.65.1 php74-sysvsem-7.4.33-1.65.1 php74-sysvshm-7.4.33-1.65.1 php74-test-7.4.33-1.65.1 php74-tidy-7.4.33-1.65.1 php74-tokenizer-7.4.33-1.65.1 php74-xmlreader-7.4.33-1.65.1 php74-xmlrpc-7.4.33-1.65.1 php74-xmlwriter-7.4.33-1.65.1 php74-xsl-7.4.33-1.65.1 php74-zip-7.4.33-1.65.1 php74-zlib-7.4.33-1.65.1 apache2-mod_php74-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-bcmath-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-bz2-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-calendar-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-ctype-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-curl-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-dba-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-dom-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-enchant-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-exif-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-fastcgi-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-fileinfo-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-fpm-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-ftp-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-gd-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-gettext-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-gmp-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-iconv-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-intl-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-json-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-ldap-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-mbstring-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-mysql-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-odbc-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-opcache-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-openssl-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-pcntl-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-pdo-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-pgsql-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-phar-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-posix-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-readline-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-shmop-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-snmp-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-soap-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-sockets-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-sodium-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-sqlite-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-sysvmsg-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-sysvsem-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-sysvshm-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-tidy-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-tokenizer-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-xmlreader-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-xmlrpc-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-xmlwriter-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-xsl-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-zip-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-zlib-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php74-devel-7.4.33-1.65.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP5 Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a __Host- or __Secure- cookie by PHP applications. CVE-2024-2756 SUSE Linux Enterprise Module for Web and Scripting 12:apache2-mod_php74-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-bcmath-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-bz2-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-calendar-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-ctype-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-curl-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-dba-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-dom-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-enchant-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-exif-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-fastcgi-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-fileinfo-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-fpm-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-ftp-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-gd-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-gettext-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-gmp-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-iconv-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-intl-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-json-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-ldap-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-mbstring-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-mysql-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-odbc-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-opcache-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-openssl-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-pcntl-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-pdo-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-pgsql-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-phar-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-posix-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-readline-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-shmop-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-snmp-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-soap-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-sockets-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-sodium-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-sqlite-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-sysvmsg-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-sysvsem-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-sysvshm-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-tidy-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-tokenizer-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-xmlreader-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-xmlrpc-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-xmlwriter-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-xsl-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-zip-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-zlib-7.4.33-1.65.1 SUSE Linux Enterprise Software Development Kit 12 SP5:php74-devel-7.4.33-1.65.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241445-1/ https://www.suse.com/security/cve/CVE-2024-2756.html CVE-2024-2756 https://bugzilla.suse.com/1222857 SUSE Bug 1222857 In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true. CVE-2024-3096 SUSE Linux Enterprise Module for Web and Scripting 12:apache2-mod_php74-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-bcmath-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-bz2-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-calendar-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-ctype-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-curl-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-dba-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-dom-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-enchant-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-exif-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-fastcgi-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-fileinfo-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-fpm-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-ftp-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-gd-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-gettext-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-gmp-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-iconv-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-intl-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-json-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-ldap-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-mbstring-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-mysql-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-odbc-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-opcache-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-openssl-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-pcntl-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-pdo-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-pgsql-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-phar-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-posix-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-readline-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-shmop-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-snmp-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-soap-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-sockets-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-sodium-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-sqlite-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-sysvmsg-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-sysvsem-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-sysvshm-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-tidy-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-tokenizer-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-xmlreader-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-xmlrpc-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-xmlwriter-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-xsl-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-zip-7.4.33-1.65.1 SUSE Linux Enterprise Module for Web and Scripting 12:php74-zlib-7.4.33-1.65.1 SUSE Linux Enterprise Software Development Kit 12 SP5:php74-devel-7.4.33-1.65.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241445-1/ https://www.suse.com/security/cve/CVE-2024-3096.html CVE-2024-3096 https://bugzilla.suse.com/1222858 SUSE Bug 1222858