Bugzilla – Bug 1222857
VUL-0: CVE-2024-2756: php5,php53,php7,php72,php74,php8: php: host/secure cookie bypass due to partial fix
Last modified: 2024-06-17 08:30:23 UTC
Due to an incomplete fix to CVE-2022-31629, network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a __Host- or __Secure- cookie by PHP applications. The vulnerability is identical to one previously described in https://bugs.php.net/bug.php?id=81727. Unfortunatly, since CVE-2022-31629 got only partially fixed in PHP >8.1.11, cookies starting with _[Host- are parsed by PHP applications as __Host-. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-2756 https://seclists.org/oss-sec/2024/q2/113 https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7 https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr https://github.com/php/php-src/security/advisories/GHSA-wpj3-hf5j-x4v4 https://github.com/php/php-src/security/advisories/GHSA-fjp9-9hwx-59fq https://bugzilla.redhat.com/show_bug.cgi?id=2275058
Advisory related to this CVE: https://github.com/php/php-src/security/advisories/GHSA-wpj3-hf5j-x4v4
https://github.com/php/php-src/commit/093c08af25fb323efa0c8e6154aa9fdeae3d3b53
Test succeeded even BEFORE.
it might have been fully fixed in 8.0 and older already, the advisory only mentuions 8.1 as half fixed?
(In reply to Marcus Meissner from comment #4) > it might have been fully fixed in 8.0 and older already, the advisory only > mentuions 8.1 as half fixed? It seems that the code needs the patch, will check further.
Submitted for: b15sp1/php81 (a version update) 15sp4/php8,php7, 15sp2/php7, 12/php74.
This is an autogenerated message for OBS integration: This bug (1222857) was mentioned in https://build.opensuse.org/request/show/1169082 Backports:SLE-15-SP5 / php81
SUSE-SU-2024:1446-1: An update that solves two vulnerabilities can now be installed. Category: security (moderate) Bug References: 1222857, 1222858 CVE References: CVE-2024-2756, CVE-2024-3096 Maintenance Incident: [SUSE:Maintenance:33460](https://smelt.suse.de/incident/33460/) Sources used: openSUSE Leap 15.4 (src): php8-8.0.30-150400.4.40.1, php8-fastcgi-8.0.30-150400.4.40.1, php8-test-8.0.30-150400.4.40.1, apache2-mod_php8-8.0.30-150400.4.40.1, php8-embed-8.0.30-150400.4.40.1, php8-fpm-8.0.30-150400.4.40.1 openSUSE Leap 15.5 (src): php8-8.0.30-150400.4.40.1, php8-fastcgi-8.0.30-150400.4.40.1, php8-test-8.0.30-150400.4.40.1, apache2-mod_php8-8.0.30-150400.4.40.1, php8-embed-8.0.30-150400.4.40.1, php8-fpm-8.0.30-150400.4.40.1 Web and Scripting Module 15-SP5 (src): php8-8.0.30-150400.4.40.1, php8-fastcgi-8.0.30-150400.4.40.1, php8-test-8.0.30-150400.4.40.1, apache2-mod_php8-8.0.30-150400.4.40.1, php8-embed-8.0.30-150400.4.40.1, php8-fpm-8.0.30-150400.4.40.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1445-1: An update that solves two vulnerabilities can now be installed. Category: security (moderate) Bug References: 1222857, 1222858 CVE References: CVE-2024-2756, CVE-2024-3096 Maintenance Incident: [SUSE:Maintenance:33462](https://smelt.suse.de/incident/33462/) Sources used: Web and Scripting Module 12 (src): php74-7.4.33-1.65.1 SUSE Linux Enterprise Software Development Kit 12 SP5 (src): php74-7.4.33-1.65.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1444-1: An update that solves two vulnerabilities can now be installed. Category: security (moderate) Bug References: 1222857, 1222858 CVE References: CVE-2024-2756, CVE-2024-3096 Maintenance Incident: [SUSE:Maintenance:33461](https://smelt.suse.de/incident/33461/) Sources used: openSUSE Leap 15.4 (src): php7-7.4.33-150400.4.34.1, php7-embed-7.4.33-150400.4.34.1, php7-fpm-7.4.33-150400.4.34.1, apache2-mod_php7-7.4.33-150400.4.34.1, php7-test-7.4.33-150400.4.34.1, php7-fastcgi-7.4.33-150400.4.34.1 openSUSE Leap 15.5 (src): php7-7.4.33-150400.4.34.1, php7-embed-7.4.33-150400.4.34.1, php7-fpm-7.4.33-150400.4.34.1, apache2-mod_php7-7.4.33-150400.4.34.1, php7-test-7.4.33-150400.4.34.1, php7-fastcgi-7.4.33-150400.4.34.1 Legacy Module 15-SP5 (src): php7-7.4.33-150400.4.34.1, php7-fpm-7.4.33-150400.4.34.1, apache2-mod_php7-7.4.33-150400.4.34.1, php7-fastcgi-7.4.33-150400.4.34.1 SUSE Package Hub 15 15-SP5 (src): php7-embed-7.4.33-150400.4.34.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2024:0115-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1222857,1222858 CVE References: CVE-2022-31629,CVE-2024-2756,CVE-2024-3096 JIRA References: Sources used: openSUSE Backports SLE-15-SP5 (src): apache2-mod_php81-8.1.28-bp155.8.1, php81-8.1.28-bp155.8.1, php81-embed-8.1.28-bp155.8.1, php81-fastcgi-8.1.28-bp155.8.1, php81-fpm-8.1.28-bp155.8.1, php81-test-8.1.28-bp155.8.3
Submitted for ALP: https://build.suse.de/request/show/329903 Submitted for SFFO: https://build.suse.de/request/show/329904
(In reply to Petr Gajdos from comment #13) > Submitted for ALP: > https://build.suse.de/request/show/329903 Reopened.
This is an autogenerated message for OBS integration: This bug (1222857) was mentioned in https://build.opensuse.org/request/show/1180000 Factory / php8
SUSE-SU-2024:2037-1: An update that solves three vulnerabilities can now be installed. Category: security (important) Bug References: 1222857, 1222858, 1226073 CVE References: CVE-2024-2756, CVE-2024-3096, CVE-2024-5458 Maintenance Incident: [SUSE:Maintenance:33467](https://smelt.suse.de/incident/33467/) Sources used: SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): php7-7.4.33-150200.3.65.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): php7-7.4.33-150200.3.65.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): php7-7.4.33-150200.3.65.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): php7-7.4.33-150200.3.65.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): php7-7.4.33-150200.3.65.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): php7-7.4.33-150200.3.65.1 SUSE Enterprise Storage 7.1 (src): php7-7.4.33-150200.3.65.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.