OESA-2023-1623

See a problem?
Please try reporting it to the source first.
Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1623
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2023-1623.json
JSON Data
https://api.test.osv.dev/v1/vulns/OESA-2023-1623
Upstream
Published
2023-09-09T11:05:54Z
Modified
2025-08-12T05:20:29.246668Z
Summary
php security update
Details

PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The php package contains the module (often referred to as mod_php) which adds support for the PHP language to Apache HTTP Server.

Security Fix(es):

In PHP versions 8.0.* before 8.0.29, 8.1.* before 8.1.20, 8.2.* before 8.2.7 when using SOAP HTTP Digest Authentication, random value generator was not checked for failure, and was using narrower range of values than it should have. In case of random generator failure, it could lead to a disclosure of 31 bits of uninitialized memory from the client to the server, and it also made easier to a malicious server to guess the client's nonce. 

(CVE-2023-3247)

In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed to be unchanged unless the user explicitly changes it by calling appropriate function. However, since the state is process-global, other modules - such as ImageMagick - may also use this library within the same process, and change that global state for their internal purposes, and leave it in a state where external entities loading is enabled. This can lead to the situation where external XML is parsed with external entities loaded, which can lead to disclosure of any local files accessible to PHP. This vulnerable state may persist in the same process across many requests, until the process is shut down. 

(CVE-2023-3823)

In PHP version 8.0.* before 8.0.30,  8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE. 

(CVE-2023-3824)

Database specific 
{
    "severity": "Medium"
}
References

Affected packages

openEuler:22.03-LTS-SP2 / php

Package

Name
php
Purl
pkg:rpm/openEuler/php&distro=openEuler-22.03-LTS-SP2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.0.30-1.oe2203sp2

Ecosystem specific 

{
    "src": [
        "php-8.0.30-1.oe2203sp2.src.rpm"
    ],
    "x86_64": [
        "php-intl-8.0.30-1.oe2203sp2.x86_64.rpm",
        "php-dbg-8.0.30-1.oe2203sp2.x86_64.rpm",
        "php-enchant-8.0.30-1.oe2203sp2.x86_64.rpm",
        "php-common-8.0.30-1.oe2203sp2.x86_64.rpm",
        "php-gmp-8.0.30-1.oe2203sp2.x86_64.rpm",
        "php-8.0.30-1.oe2203sp2.x86_64.rpm",
        "php-help-8.0.30-1.oe2203sp2.x86_64.rpm",
        "php-xml-8.0.30-1.oe2203sp2.x86_64.rpm",
        "php-mysqlnd-8.0.30-1.oe2203sp2.x86_64.rpm",
        "php-sodium-8.0.30-1.oe2203sp2.x86_64.rpm",
        "php-bcmath-8.0.30-1.oe2203sp2.x86_64.rpm",
        "php-snmp-8.0.30-1.oe2203sp2.x86_64.rpm",
        "php-debuginfo-8.0.30-1.oe2203sp2.x86_64.rpm",
        "php-pdo-8.0.30-1.oe2203sp2.x86_64.rpm",
        "php-embedded-8.0.30-1.oe2203sp2.x86_64.rpm",
        "php-pgsql-8.0.30-1.oe2203sp2.x86_64.rpm",
        "php-ldap-8.0.30-1.oe2203sp2.x86_64.rpm",
        "php-gd-8.0.30-1.oe2203sp2.x86_64.rpm",
        "php-odbc-8.0.30-1.oe2203sp2.x86_64.rpm",
        "php-devel-8.0.30-1.oe2203sp2.x86_64.rpm",
        "php-mbstring-8.0.30-1.oe2203sp2.x86_64.rpm",
        "php-tidy-8.0.30-1.oe2203sp2.x86_64.rpm",
        "php-opcache-8.0.30-1.oe2203sp2.x86_64.rpm",
        "php-fpm-8.0.30-1.oe2203sp2.x86_64.rpm",
        "php-debugsource-8.0.30-1.oe2203sp2.x86_64.rpm",
        "php-process-8.0.30-1.oe2203sp2.x86_64.rpm",
        "php-dba-8.0.30-1.oe2203sp2.x86_64.rpm",
        "php-cli-8.0.30-1.oe2203sp2.x86_64.rpm",
        "php-soap-8.0.30-1.oe2203sp2.x86_64.rpm",
        "php-ffi-8.0.30-1.oe2203sp2.x86_64.rpm"
    ],
    "aarch64": [
        "php-dba-8.0.30-1.oe2203sp2.aarch64.rpm",
        "php-bcmath-8.0.30-1.oe2203sp2.aarch64.rpm",
        "php-cli-8.0.30-1.oe2203sp2.aarch64.rpm",
        "php-devel-8.0.30-1.oe2203sp2.aarch64.rpm",
        "php-dbg-8.0.30-1.oe2203sp2.aarch64.rpm",
        "php-snmp-8.0.30-1.oe2203sp2.aarch64.rpm",
        "php-sodium-8.0.30-1.oe2203sp2.aarch64.rpm",
        "php-ldap-8.0.30-1.oe2203sp2.aarch64.rpm",
        "php-fpm-8.0.30-1.oe2203sp2.aarch64.rpm",
        "php-pgsql-8.0.30-1.oe2203sp2.aarch64.rpm",
        "php-8.0.30-1.oe2203sp2.aarch64.rpm",
        "php-common-8.0.30-1.oe2203sp2.aarch64.rpm",
        "php-opcache-8.0.30-1.oe2203sp2.aarch64.rpm",
        "php-tidy-8.0.30-1.oe2203sp2.aarch64.rpm",
        "php-gmp-8.0.30-1.oe2203sp2.aarch64.rpm",
        "php-help-8.0.30-1.oe2203sp2.aarch64.rpm",
        "php-enchant-8.0.30-1.oe2203sp2.aarch64.rpm",
        "php-intl-8.0.30-1.oe2203sp2.aarch64.rpm",
        "php-gd-8.0.30-1.oe2203sp2.aarch64.rpm",
        "php-mbstring-8.0.30-1.oe2203sp2.aarch64.rpm",
        "php-embedded-8.0.30-1.oe2203sp2.aarch64.rpm",
        "php-debugsource-8.0.30-1.oe2203sp2.aarch64.rpm",
        "php-mysqlnd-8.0.30-1.oe2203sp2.aarch64.rpm",
        "php-odbc-8.0.30-1.oe2203sp2.aarch64.rpm",
        "php-pdo-8.0.30-1.oe2203sp2.aarch64.rpm",
        "php-xml-8.0.30-1.oe2203sp2.aarch64.rpm",
        "php-soap-8.0.30-1.oe2203sp2.aarch64.rpm",
        "php-debuginfo-8.0.30-1.oe2203sp2.aarch64.rpm",
        "php-process-8.0.30-1.oe2203sp2.aarch64.rpm",
        "php-ffi-8.0.30-1.oe2203sp2.aarch64.rpm"
    ]
}