Bugzilla – Bug 1212349
VUL-0: CVE-2023-3247: php74,php8,php72,php5,php7: Missing error check and insufficient random bytes in HTTP Digest authentication for SOAP
Last modified: 2023-09-26 11:58:42 UTC
DSA-5424 It was discovered that PHP's implementation of SOAP HTTP Digest authentication performed insufficient error validation, which may result in a stack information leak or use of weak randomness. For the oldstable distribution (bullseye), this problem has been fixed in version 7.4.33-1+deb11u4. We recommend that you upgrade your php7.4 packages. For the detailed security status of php7.4 please refer to its security tracker page at: \ https://security-tracker.debian.org/tracker/php7.4 References: https://security-tracker.debian.org/tracker/DSA-5424-1
Fixed in 8.2.7, 8.1.20, 8.0.29 https://github.com/php/php-src/security/advisories/GHSA-76gg-c692-v2mw https://github.com/php/php-src/commit/ac4254ad764c70cb1f05c9270d8d12689fc3aeb6 (php-8.0.29) https://github.com/php/php-src/commit/32c7c433ac1983c4497349051681a4f361d3d33e (php-8.0.29) Affected: - SUSE:SLE-12:Update/php72 7.2.5 - SUSE:SLE-15:Update/php7 7.2.34 - SUSE:SLE-12:Update/php74 7.4.33 - SUSE:SLE-15-SP2:Update/php7 7.4.33 - SUSE:SLE-15-SP4:Update/php7 7.4.33 - SUSE:SLE-15-SP4:Update/php8 8.0.28 - openSUSE:Factory/php8 8.1.19 Unsupported: - SUSE:SLE-12:Update/php5 5.5.14 - SUSE:SLE-12:Update/php7 7.0.7 Preliminary rating: 4.2 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N i will ask the php people to request a cve
(In reply to Hu from comment #1) > - SUSE:SLE-12:Update/php72 7.2.5 This is no longer supported. https://confluence.suse.com/display/SLE/PHP
(In reply to Hu from comment #1) > i will ask the php people to request a cve Thanks, stas replied already: ---------------------- Hi! OK I requested CVE-2023-3247 for it. I'll fill in the details for it a bit later.
(In reply to Petr Gajdos from comment #2) > (In reply to Hu from comment #1) > > - SUSE:SLE-12:Update/php72 7.2.5 > > This is no longer supported. > https://confluence.suse.com/display/SLE/PHP okay thanks, i will track it accordingly
8.1.20 is already submitted into openSUSE:Factory.
No testcase known. Submitted for 15sp4/php8,php7, 15sp2/php7, 12/php74 and 15/php7. I believe all fixed.
SUSE-SU-2023:2610-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1212349 CVE References: CVE-2023-3247 Sources used: Web and Scripting Module 15-SP5 (src): php8-fpm-8.0.29-150400.4.34.1, php8-fastcgi-8.0.29-150400.4.34.1, apache2-mod_php8-8.0.29-150400.4.34.1, php8-8.0.29-150400.4.34.1, php8-embed-8.0.29-150400.4.34.1, php8-test-8.0.29-150400.4.34.1 openSUSE Leap 15.4 (src): php8-fpm-8.0.29-150400.4.34.1, php8-fastcgi-8.0.29-150400.4.34.1, apache2-mod_php8-8.0.29-150400.4.34.1, php8-8.0.29-150400.4.34.1, php8-embed-8.0.29-150400.4.34.1, php8-test-8.0.29-150400.4.34.1 openSUSE Leap 15.5 (src): php8-fpm-8.0.29-150400.4.34.1, php8-fastcgi-8.0.29-150400.4.34.1, apache2-mod_php8-8.0.29-150400.4.34.1, php8-8.0.29-150400.4.34.1, php8-embed-8.0.29-150400.4.34.1, php8-test-8.0.29-150400.4.34.1 Web and Scripting Module 15-SP4 (src): php8-fpm-8.0.29-150400.4.34.1, php8-fastcgi-8.0.29-150400.4.34.1, apache2-mod_php8-8.0.29-150400.4.34.1, php8-8.0.29-150400.4.34.1, php8-embed-8.0.29-150400.4.34.1, php8-test-8.0.29-150400.4.34.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2828-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1212349 CVE References: CVE-2023-3247 Sources used: openSUSE Leap 15.4 (src): php7-test-7.4.33-150400.4.25.1, php7-fastcgi-7.4.33-150400.4.25.1, php7-7.4.33-150400.4.25.1, php7-embed-7.4.33-150400.4.25.1, apache2-mod_php7-7.4.33-150400.4.25.1, php7-fpm-7.4.33-150400.4.25.1 openSUSE Leap 15.5 (src): php7-test-7.4.33-150400.4.25.1, php7-fastcgi-7.4.33-150400.4.25.1, php7-7.4.33-150400.4.25.1, php7-embed-7.4.33-150400.4.25.1, apache2-mod_php7-7.4.33-150400.4.25.1, php7-fpm-7.4.33-150400.4.25.1 Legacy Module 15-SP4 (src): php7-fpm-7.4.33-150400.4.25.1, apache2-mod_php7-7.4.33-150400.4.25.1, php7-fastcgi-7.4.33-150400.4.25.1, php7-7.4.33-150400.4.25.1 Legacy Module 15-SP5 (src): php7-fpm-7.4.33-150400.4.25.1, apache2-mod_php7-7.4.33-150400.4.25.1, php7-fastcgi-7.4.33-150400.4.25.1, php7-7.4.33-150400.4.25.1 SUSE Package Hub 15 15-SP4 (src): php7-embed-7.4.33-150400.4.25.1 SUSE Package Hub 15 15-SP5 (src): php7-embed-7.4.33-150400.4.25.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2848-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1212349 CVE References: CVE-2023-3247 Sources used: Web and Scripting Module 12 (src): php74-7.4.33-1.59.1 SUSE Linux Enterprise Software Development Kit 12 SP5 (src): php74-7.4.33-1.59.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2980-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1212349 CVE References: CVE-2023-3247 Sources used: SUSE Manager Server 4.2 (src): php7-7.4.33-150200.3.57.1 openSUSE Leap 15.4 (src): php7-7.4.33-150200.3.57.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is an autogenerated message for OBS integration: This bug (1212349) was mentioned in https://build.opensuse.org/request/show/1113638 Factory / php8
done, closing