Ubuntu Security Notice 6305-2 - USN-6305-1 fixed several vulnerabilities in PHP. This update provides the corresponding update for Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. It was discovered that PHP incorrectly handled certain XML files. An attacker could possibly use this issue to expose sensitive information.
caacfeb4e539a353abe770f6325dbffce7919a619b169957ffad81b1917bb00b
==========================================================================
Ubuntu Security Notice USN-6305-2
February 27, 2024
php7.0, php7.2, php7.4 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)
Summary:
Several security issues were fixed in PHP.
Software Description:
- php7.4: HTML-embedded scripting language interpreter
- php7.2: HTML-embedded scripting language interpreter
- php7.0: HTML-embedded scripting language interpreter
Details:
USN-6305-1 fixed several vulnerabilities in PHP. This update provides
the corresponding update for Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS.
Original advisory details:
It was discovered that PHP incorrectly handled certain XML files.
An attacker could possibly use this issue to expose sensitive information.
(CVE-2023-3823)
It was discovered that PHP incorrectly handled certain PHAR files.
An attacker could possibly use this issue to cause a crash,
expose sensitive information or execute arbitrary code.
(CVE-2023-3824)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
libapache2-mod-php7.4 7.4.3-4ubuntu2.20
php7.4 7.4.3-4ubuntu2.20
php7.4-cgi 7.4.3-4ubuntu2.20
php7.4-cli 7.4.3-4ubuntu2.20
php7.4-fpm 7.4.3-4ubuntu2.20
php7.4-xml 7.4.3-4ubuntu2.20
Ubuntu 18.04 LTS (Available with Ubuntu Pro):
libapache2-mod-php7.2 7.2.24-0ubuntu0.18.04.17+esm2
php7.2 7.2.24-0ubuntu0.18.04.17+esm2
php7.2-cgi 7.2.24-0ubuntu0.18.04.17+esm2
php7.2-cli 7.2.24-0ubuntu0.18.04.17+esm2
php7.2-fpm 7.2.24-0ubuntu0.18.04.17+esm2
php7.2-xml 7.2.24-0ubuntu0.18.04.17+esm2
Ubuntu 16.04 LTS (Available with Ubuntu Pro):
libapache2-mod-php7.0 7.0.33-0ubuntu0.16.04.16+esm8
php7.0 7.0.33-0ubuntu0.16.04.16+esm8
php7.0-cgi 7.0.33-0ubuntu0.16.04.16+esm8
php7.0-cli 7.0.33-0ubuntu0.16.04.16+esm8
php7.0-fpm 7.0.33-0ubuntu0.16.04.16+esm8
php7.0-xml 7.0.33-0ubuntu0.16.04.16+esm8
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6305-2
https://ubuntu.com/security/notices/USN-6305-1
CVE-2023-3823, CVE-2023-3824
Package Information:
https://launchpad.net/ubuntu/+source/php7.4/7.4.3-4ubuntu2.20