Ondřej Surý has announced the release of updated PHP packages for Debian GNU/Linux, covering versions from 5.6 to 8.5. These updates are crucial for addressing security vulnerabilities that could potentially be exploited. Specifically, the updates rectify three significant security issues:
1. Command Injection Vulnerability: The vulnerability associated with CVE-2024-1874 pertains to the `proc_open` function, where an attacker might exploit a controlled `$command` parameter to execute arbitrary commands.
2. Cookie Bypass Attack: This vulnerability connects to CVE-2022-31629 and involves a flaw in older code that could allow attackers to bypass cookie security measures.
3. Password Verification Issue: This issue affects PHP's password verification function, which could wrongly flag valid passwords as invalid, posing a significant security risk.
The updated packages include PHP versions 8.5.1, 8.4.16, 8.3.29, 8.2.30, and 8.1.34, among others, and are available for Debian 11 (Bullseye) LTS, Debian 12 (Bookworm), and Debian 13 (Trixie).
To integrate these packages into your Debian system, you can use the following commands to add the repository and install necessary dependencies:
For more information, users can refer to the official website at deb.sury.org, which also provides access to a dedicated bug tracker for the packages.
Users are encouraged to regularly check for updates and apply them promptly to mitigate any risks associated with known vulnerabilities. Additionally, developers should consider keeping their codebases aligned with the latest PHP versions to take advantage of new features and improvements alongside security enhancements
1. Command Injection Vulnerability: The vulnerability associated with CVE-2024-1874 pertains to the `proc_open` function, where an attacker might exploit a controlled `$command` parameter to execute arbitrary commands.
2. Cookie Bypass Attack: This vulnerability connects to CVE-2022-31629 and involves a flaw in older code that could allow attackers to bypass cookie security measures.
3. Password Verification Issue: This issue affects PHP's password verification function, which could wrongly flag valid passwords as invalid, posing a significant security risk.
The updated packages include PHP versions 8.5.1, 8.4.16, 8.3.29, 8.2.30, and 8.1.34, among others, and are available for Debian 11 (Bullseye) LTS, Debian 12 (Bookworm), and Debian 13 (Trixie).
To integrate these packages into your Debian system, you can use the following commands to add the repository and install necessary dependencies:
bashif [ "$(whoami)" != "root" ]; then
SUDO=sudo
fi
${SUDO} apt-get -y install apt-transport-https lsb-release ca-certificates curl
${SUDO} wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
${SUDO} sh -c 'echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'
${SUDO} apt-get update
For more information, users can refer to the official website at deb.sury.org, which also provides access to a dedicated bug tracker for the packages.
Extension:
These updates signify a commitment to maintaining the security and reliability of PHP across its various versions. As the landscape of web development evolves, it is essential for developers and server administrators to stay current with security patches to protect their applications from potential exploits. This proactive approach not only secures individual websites but also contributes to the overall integrity of the web ecosystem.Users are encouraged to regularly check for updates and apply them promptly to mitigate any risks associated with known vulnerabilities. Additionally, developers should consider keeping their codebases aligned with the latest PHP versions to take advantage of new features and improvements alongside security enhancements
PHP 8.5.1, PHP 8.4.16, 8.3.29, 8.2.30, 8.1.34 Debian packages released
Ondřej Surý has released updated PHP packages for Debian GNU/Linux users, including versions from 5.6 to 8.5, addressing security issues across multiple versions. The updates fix three vulnerabilities: command injection via proc_open, CVE-2024-1874; a cookie bypass attack related to CVE-2022-31629 and patched as CVE-2024-2756; and an issue with PHP's password verification function. To add the repository to your Debian installation, you can use a provided script that installs necessary dependencies and configures the repository. Further details on the packages and bug tracker are available at deb.sury.org.
PHP 8.5.1, PHP 8.4.16, 8.3.29, 8.2.30, 8.1.34 Debian packages released @ Linux Compatible
