ALAS-2021-1532


Amazon Linux AMI Security Advisory: ALAS-2021-1532
Advisory Release Date: 2021-09-02 22:54 Pacific
Advisory Updated Date: 2021-09-08 19:28 Pacific
Severity: Medium

Issue Overview:

Several flaws has been found in php. The pdo_firebase module does not check the length of the server version string in a response packet causing a stack buffer overflow, does not verify the data and uses the wrong type to cast length leading to a crash, and does not validate the response before calculation of the exec procedure leading to a crash. The highest threat from this vulnerability is to system availability. (CVE-2021-21704)

A security issue was found in PHP in the way it allows to bypass the FILTER_VALIDATE_URL check via a crafted URL which may lead to SSRF. (CVE-2021-21705)


Affected Packages:

php73


Issue Correction:
Run yum update php73 to update your system.

New Packages:
i686:
    php73-fpm-7.3.29-1.30.amzn1.i686
    php73-7.3.29-1.30.amzn1.i686
    php73-imap-7.3.29-1.30.amzn1.i686
    php73-pdo-7.3.29-1.30.amzn1.i686
    php73-odbc-7.3.29-1.30.amzn1.i686
    php73-mysqlnd-7.3.29-1.30.amzn1.i686
    php73-ldap-7.3.29-1.30.amzn1.i686
    php73-opcache-7.3.29-1.30.amzn1.i686
    php73-dbg-7.3.29-1.30.amzn1.i686
    php73-snmp-7.3.29-1.30.amzn1.i686
    php73-common-7.3.29-1.30.amzn1.i686
    php73-pdo-dblib-7.3.29-1.30.amzn1.i686
    php73-dba-7.3.29-1.30.amzn1.i686
    php73-embedded-7.3.29-1.30.amzn1.i686
    php73-recode-7.3.29-1.30.amzn1.i686
    php73-devel-7.3.29-1.30.amzn1.i686
    php73-process-7.3.29-1.30.amzn1.i686
    php73-pspell-7.3.29-1.30.amzn1.i686
    php73-gd-7.3.29-1.30.amzn1.i686
    php73-json-7.3.29-1.30.amzn1.i686
    php73-tidy-7.3.29-1.30.amzn1.i686
    php73-debuginfo-7.3.29-1.30.amzn1.i686
    php73-xml-7.3.29-1.30.amzn1.i686
    php73-intl-7.3.29-1.30.amzn1.i686
    php73-soap-7.3.29-1.30.amzn1.i686
    php73-pgsql-7.3.29-1.30.amzn1.i686
    php73-mbstring-7.3.29-1.30.amzn1.i686
    php73-xmlrpc-7.3.29-1.30.amzn1.i686
    php73-gmp-7.3.29-1.30.amzn1.i686
    php73-bcmath-7.3.29-1.30.amzn1.i686
    php73-cli-7.3.29-1.30.amzn1.i686
    php73-enchant-7.3.29-1.30.amzn1.i686

src:
    php73-7.3.29-1.30.amzn1.src

x86_64:
    php73-enchant-7.3.29-1.30.amzn1.x86_64
    php73-process-7.3.29-1.30.amzn1.x86_64
    php73-7.3.29-1.30.amzn1.x86_64
    php73-embedded-7.3.29-1.30.amzn1.x86_64
    php73-cli-7.3.29-1.30.amzn1.x86_64
    php73-pspell-7.3.29-1.30.amzn1.x86_64
    php73-debuginfo-7.3.29-1.30.amzn1.x86_64
    php73-gmp-7.3.29-1.30.amzn1.x86_64
    php73-fpm-7.3.29-1.30.amzn1.x86_64
    php73-recode-7.3.29-1.30.amzn1.x86_64
    php73-opcache-7.3.29-1.30.amzn1.x86_64
    php73-mysqlnd-7.3.29-1.30.amzn1.x86_64
    php73-dbg-7.3.29-1.30.amzn1.x86_64
    php73-dba-7.3.29-1.30.amzn1.x86_64
    php73-snmp-7.3.29-1.30.amzn1.x86_64
    php73-ldap-7.3.29-1.30.amzn1.x86_64
    php73-pgsql-7.3.29-1.30.amzn1.x86_64
    php73-tidy-7.3.29-1.30.amzn1.x86_64
    php73-json-7.3.29-1.30.amzn1.x86_64
    php73-imap-7.3.29-1.30.amzn1.x86_64
    php73-mbstring-7.3.29-1.30.amzn1.x86_64
    php73-bcmath-7.3.29-1.30.amzn1.x86_64
    php73-pdo-dblib-7.3.29-1.30.amzn1.x86_64
    php73-pdo-7.3.29-1.30.amzn1.x86_64
    php73-soap-7.3.29-1.30.amzn1.x86_64
    php73-devel-7.3.29-1.30.amzn1.x86_64
    php73-odbc-7.3.29-1.30.amzn1.x86_64
    php73-xmlrpc-7.3.29-1.30.amzn1.x86_64
    php73-gd-7.3.29-1.30.amzn1.x86_64
    php73-intl-7.3.29-1.30.amzn1.x86_64
    php73-common-7.3.29-1.30.amzn1.x86_64
    php73-xml-7.3.29-1.30.amzn1.x86_64