Amazon Linux 2 Security Advisory: ALASPHP8.0-2023-006
Advisory Release Date: 2023-08-21 21:00 Pacific
Advisory Updated Date: 2023-09-13 19:32 Pacific
A vulnerability was found in PHP due to an uninitialized array in pg_query_params() function. When using the Postgres database extension, supplying invalid parameters to the parameterized query may lead to PHP attempting to free memory, using uninitialized data as pointers. This flaw allows a remote attacker with the ability to control query parameters to execute arbitrary code on the system or may cause a denial of service. (CVE-2022-31625)
A buffer overflow vulnerability was found in PHP when processing passwords in mysqlnd/pdo in mysqlnd_wireprotocol.c. When using the pdo_mysql extension with mysqlnd driver, if the third party is allowed to supply a password to the host for the connection, a password of excessive length can trigger a buffer overflow in PHP. This flaw allows a remote attacker to pass a password (with an excessive length) via PDO to the MySQL server, triggering arbitrary code execution on the target system. (CVE-2022-31626)
Affected Packages:
php
Note:
This advisory is applicable to Amazon Linux 2 - Php8.0 Extra. Visit this page to learn more about Amazon Linux 2 (AL2) Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update php to update your system.
aarch64:
php-8.0.20-1.amzn2.aarch64
php-cli-8.0.20-1.amzn2.aarch64
php-dbg-8.0.20-1.amzn2.aarch64
php-fpm-8.0.20-1.amzn2.aarch64
php-common-8.0.20-1.amzn2.aarch64
php-devel-8.0.20-1.amzn2.aarch64
php-opcache-8.0.20-1.amzn2.aarch64
php-ldap-8.0.20-1.amzn2.aarch64
php-pdo-8.0.20-1.amzn2.aarch64
php-mysqlnd-8.0.20-1.amzn2.aarch64
php-pgsql-8.0.20-1.amzn2.aarch64
php-process-8.0.20-1.amzn2.aarch64
php-odbc-8.0.20-1.amzn2.aarch64
php-soap-8.0.20-1.amzn2.aarch64
php-snmp-8.0.20-1.amzn2.aarch64
php-xml-8.0.20-1.amzn2.aarch64
php-mbstring-8.0.20-1.amzn2.aarch64
php-gd-8.0.20-1.amzn2.aarch64
php-bcmath-8.0.20-1.amzn2.aarch64
php-gmp-8.0.20-1.amzn2.aarch64
php-dba-8.0.20-1.amzn2.aarch64
php-embedded-8.0.20-1.amzn2.aarch64
php-pspell-8.0.20-1.amzn2.aarch64
php-intl-8.0.20-1.amzn2.aarch64
php-enchant-8.0.20-1.amzn2.aarch64
php-sodium-8.0.20-1.amzn2.aarch64
php-debuginfo-8.0.20-1.amzn2.aarch64
src:
php-8.0.20-1.amzn2.src
x86_64:
php-8.0.20-1.amzn2.x86_64
php-cli-8.0.20-1.amzn2.x86_64
php-dbg-8.0.20-1.amzn2.x86_64
php-fpm-8.0.20-1.amzn2.x86_64
php-common-8.0.20-1.amzn2.x86_64
php-devel-8.0.20-1.amzn2.x86_64
php-opcache-8.0.20-1.amzn2.x86_64
php-ldap-8.0.20-1.amzn2.x86_64
php-pdo-8.0.20-1.amzn2.x86_64
php-mysqlnd-8.0.20-1.amzn2.x86_64
php-pgsql-8.0.20-1.amzn2.x86_64
php-process-8.0.20-1.amzn2.x86_64
php-odbc-8.0.20-1.amzn2.x86_64
php-soap-8.0.20-1.amzn2.x86_64
php-snmp-8.0.20-1.amzn2.x86_64
php-xml-8.0.20-1.amzn2.x86_64
php-mbstring-8.0.20-1.amzn2.x86_64
php-gd-8.0.20-1.amzn2.x86_64
php-bcmath-8.0.20-1.amzn2.x86_64
php-gmp-8.0.20-1.amzn2.x86_64
php-dba-8.0.20-1.amzn2.x86_64
php-embedded-8.0.20-1.amzn2.x86_64
php-pspell-8.0.20-1.amzn2.x86_64
php-intl-8.0.20-1.amzn2.x86_64
php-enchant-8.0.20-1.amzn2.x86_64
php-sodium-8.0.20-1.amzn2.x86_64
php-debuginfo-8.0.20-1.amzn2.x86_64