Ubuntu Security Notice 6757-1 - It was discovered that PHP incorrectly handled PHP_CLI_SERVER_WORKERS variable. An attacker could possibly use this issue to cause a crash or execute arbitrary code. This issue only affected Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. It was discovered that PHP incorrectly handled certain cookies. An attacker could possibly use this issue to cookie by pass.
d148d55e0339c28ab206c4e04376d9c0144caabdf1c279dfc99b6ae169bc4172
==========================================================================
Ubuntu Security Notice USN-6757-1
April 29, 2024
php7.0, php7.2, php7.4, php8.1 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in PHP.
Software Description:
- php8.1: HTML-embedded scripting language interpreter
- php7.4: HTML-embedded scripting language interpreter
- php7.2: HTML-embedded scripting language interpreter
- php7.0: HTML-embedded scripting language interpreter
Details:
It was discovered that PHP incorrectly handled PHP_CLI_SERVER_WORKERS variable.
An attacker could possibly use this issue to cause a crash or execute
arbitrary code. This issue only affected Ubuntu 20.04 LTS, and
Ubuntu 22.04 LTS. (CVE-2022-4900)
It was discovered that PHP incorrectly handled certain cookies.
An attacker could possibly use this issue to cookie by pass.
(CVE-2024-2756)
It was discovered that PHP incorrectly handled some passwords.
An attacker could possibly use this issue to cause an account takeover
attack. (CVE-2024-3096)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS
libapache2-mod-php8.1 8.1.2-1ubuntu2.16
php8.1 8.1.2-1ubuntu2.16
php8.1-cgi 8.1.2-1ubuntu2.16
php8.1-cli 8.1.2-1ubuntu2.16
php8.1-fpm 8.1.2-1ubuntu2.16
php8.1-xml 8.1.2-1ubuntu2.16
Ubuntu 20.04 LTS
libapache2-mod-php7.4 7.4.3-4ubuntu2.21
php7.4 7.4.3-4ubuntu2.21
php7.4-cgi 7.4.3-4ubuntu2.21
php7.4-cli 7.4.3-4ubuntu2.21
php7.4-fpm 7.4.3-4ubuntu2.21
php7.4-xml 7.4.3-4ubuntu2.21
Ubuntu 18.04 LTS
libapache2-mod-php7.2 7.2.24-0ubuntu0.18.04.17+esm3
Available with Ubuntu Pro
php7.2 7.2.24-0ubuntu0.18.04.17+esm3
Available with Ubuntu Pro
php7.2-cgi 7.2.24-0ubuntu0.18.04.17+esm3
Available with Ubuntu Pro
php7.2-cli 7.2.24-0ubuntu0.18.04.17+esm3
Available with Ubuntu Pro
php7.2-fpm 7.2.24-0ubuntu0.18.04.17+esm3
Available with Ubuntu Pro
php7.2-xml 7.2.24-0ubuntu0.18.04.17+esm3
Available with Ubuntu Pro
Ubuntu 16.04 LTS
libapache2-mod-php7.0 7.0.33-0ubuntu0.16.04.16+esm9
Available with Ubuntu Pro
php7.0 7.0.33-0ubuntu0.16.04.16+esm9
Available with Ubuntu Pro
php7.0-cgi 7.0.33-0ubuntu0.16.04.16+esm9
Available with Ubuntu Pro
php7.0-cli 7.0.33-0ubuntu0.16.04.16+esm9
Available with Ubuntu Pro
php7.0-fpm 7.0.33-0ubuntu0.16.04.16+esm9
Available with Ubuntu Pro
php7.0-xml 7.0.33-0ubuntu0.16.04.16+esm9
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6757-1
CVE-2022-4900, CVE-2024-2756, CVE-2024-3096
Package Information:
https://launchpad.net/ubuntu/+source/php8.1/8.1.2-1ubuntu2.16
https://launchpad.net/ubuntu/+source/php7.4/7.4.3-4ubuntu2.21