Bugzilla – Bug 1188035
VUL-0: CVE-2021-21704: php53,php7,php72,php5,php74: security issues in pdo_firebase module
Last modified: 2021-08-20 13:55:20 UTC
rh#1978790 Security vulnerabilities in PHP in pdo_firebase module allows attackers to crash PHP. References: https://bugs.php.net/bug.php?id=76448 https://bugs.php.net/bug.php?id=76449 https://bugs.php.net/bug.php?id=76450 https://bugs.php.net/bug.php?id=76452 References: https://bugzilla.redhat.com/show_bug.cgi?id=1978790 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21704 http://www.debian.org/security/-1/dsa-4935
tracking these as affected(some only partially): - SUSE:SLE-11:Update/php5 - SUSE:SLE-12:Update/php5 - SUSE:SLE-11-SP3:Update/php53 - SUSE:SLE-12:Update/php7 - SUSE:SLE-15:Update/php7 - SUSE:SLE-15-SP2:Update/php7 - SUSE:SLE-12:Update/php72 - SUSE:SLE-12:Update/php74
This resembles rather circular definition, so sorry for the question. It is bit unusual that four upstream bugs get one CVE without any reasons given. There is only one piece of information in the redhat bug, only one commit related to upstream bug 76449 and nothing more. Unfortunately none of the other references actually work. Could you please be more specific what do you want actually?
(In reply to Petr Gajdos from comment #2) > This resembles rather circular definition, so sorry for the question. > > It is bit unusual that four upstream bugs get one CVE without any reasons > given. There is only one piece of information in the redhat bug, only one > commit related to upstream bug 76449 and nothing more. Yes, I agree that this is a strange assignment. > Unfortunately none of the other references actually work. What do you mean by this ? Each bug had a patch in the comments. 76449 -> https://github.com/php/php-src/commit/08da7c73726f7b86b67d6f0ff87c73c585a7834a 76450 -> https://github.com/php/php-src/commit/bcbf8aa0c96d8d9e81ec3428232485555fae0b37 76452 -> https://github.com/php/php-src/commit/286162e9b03071c4308e7e92597bca4239f49d89 76448 -> https://github.com/php/php-src/commit/67afa32541ebc4abbf633cb1e7e879b2fbb616ad I assumed that they are all relevant. > > Could you please be more specific what do you want actually? I thought to take the patches which apply to the codesteams and apply them, as all bugs seem to have security implications. So take as much of the patches as possible. Please let me know if I missed something where this would not make sense.
(In reply to Robert Frohl from comment #3) > (In reply to Petr Gajdos from comment #2) > > This resembles rather circular definition, so sorry for the question. > Yes, I agree that this is a strange assignment. > [..] > > > Unfortunately none of the other references actually work. > > What do you mean by this ? Each bug had a patch in the comments. My point is: (In reply to Robert Frohl from comment #0) > rh#1978790 [..] > References: > https://bugzilla.redhat.com/show_bug.cgi?id=1978790 > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21704 ---> CVE not found > http://www.debian.org/security/-1/dsa-4935 ---> page not found So it seems that only authoritative source is the redhat bug. If you look at comment 3 in the very same bug, then there are only one commit listed. > 76449 -> > https://github.com/php/php-src/commit/ > 08da7c73726f7b86b67d6f0ff87c73c585a7834a > 76450 -> > https://github.com/php/php-src/commit/ > bcbf8aa0c96d8d9e81ec3428232485555fae0b37 > 76452 -> > https://github.com/php/php-src/commit/ > 286162e9b03071c4308e7e92597bca4239f49d89 > 76448 -> > https://github.com/php/php-src/commit/ > 67afa32541ebc4abbf633cb1e7e879b2fbb616ad > > I assumed that they are all relevant. I was just curious what led you to this conclusion, i.e. at least it seems to me that the description of redhat bug and your interpretation are in conflict with third comment of the redhat bug. So I was wondering whether and where there is some noise on the channel as the CVE assignment seems to be strange, as you said yourself. And there's little of other info around. > I thought to take the patches which apply to the codesteams and apply them, > as all bugs seem to have security implications. So take as much of the > patches as possible. All right, I will include all fixes as a CVE-2021-21704 patch.
(In reply to Robert Frohl from comment #1) > tracking these as affected(some only partially): > > - SUSE:SLE-11:Update/php5 > - SUSE:SLE-12:Update/php5 > > - SUSE:SLE-11-SP3:Update/php53 > > - SUSE:SLE-12:Update/php7 > - SUSE:SLE-15:Update/php7 > - SUSE:SLE-15-SP2:Update/php7 > > - SUSE:SLE-12:Update/php72 > > - SUSE:SLE-12:Update/php74 I think we ship php-firebird nowhere else than in 15sp2/php7. Despite that fact, I will submit it into 15/php7, 12/php74, 12/php72, where is a, even if little, chance that we would enable and ship firebird extension in the future. In case I am mistaken, please let me know.
Submitted for 15sp2,15/php7, 12/php74 and 12/php72. I believe all fixed.
SUSE-SU-2021:2637-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1188035,1188037 CVE References: CVE-2021-21704,CVE-2021-21705 JIRA References: Sources used: SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src): php7-7.4.6-3.22.1 SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src): php7-7.4.6-3.22.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src): php7-7.4.6-3.22.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (src): php7-7.4.6-3.22.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:2637-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1188035,1188037 CVE References: CVE-2021-21704,CVE-2021-21705 JIRA References: Sources used: openSUSE Leap 15.3 (src): php7-7.4.6-3.22.1
SUSE-SU-2021:2636-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1188035,1188037 CVE References: CVE-2021-21704,CVE-2021-21705 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): php74-7.4.6-1.24.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php74-7.4.6-1.24.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:2638-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1188035 CVE References: CVE-2021-21704 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): php72-7.2.5-1.66.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php72-7.2.5-1.66.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:1130-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1188035,1188037 CVE References: CVE-2021-21704,CVE-2021-21705 JIRA References: Sources used: openSUSE Leap 15.2 (src): php7-7.4.6-lp152.2.18.1, php7-test-7.4.6-lp152.2.18.1
# maintenance_jira_update_notice openSUSE-SU-2021:2795-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1188035 CVE References: CVE-2021-21704 JIRA References: Sources used: openSUSE Leap 15.3 (src): php7-7.2.5-4.79.1
# maintenance_jira_update_notice SUSE-SU-2021:2795-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1188035 CVE References: CVE-2021-21704 JIRA References: Sources used: SUSE Manager Server 4.0 (src): php7-7.2.5-4.79.1 SUSE Manager Retail Branch Server 4.0 (src): php7-7.2.5-4.79.1 SUSE Manager Proxy 4.0 (src): php7-7.2.5-4.79.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): php7-7.2.5-4.79.1 SUSE Linux Enterprise Server for SAP 15 (src): php7-7.2.5-4.79.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): php7-7.2.5-4.79.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): php7-7.2.5-4.79.1 SUSE Linux Enterprise Server 15-LTSS (src): php7-7.2.5-4.79.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): php7-7.2.5-4.79.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): php7-7.2.5-4.79.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): php7-7.2.5-4.79.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): php7-7.2.5-4.79.1 SUSE Enterprise Storage 6 (src): php7-7.2.5-4.79.1 SUSE CaaS Platform 4.0 (src): php7-7.2.5-4.79.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.